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Summary 

For more than a decade, various experts have expressed increasing concerns about cybersecurity, 
in light of the growing frequency, impact, and sophistication of attacks on information systems in 
the United States and abroad. Consensus has also been building that the current legislative 
framework for cybersecurity might need to be revised. 

The complex federal role in cybersecurity involves both securing federal systems and assisting in 
protecting nonfederal systems. Under current law, all federal agencies have cybersecurity 
responsibilities relating to their own systems, and many have sector-specific responsibilities for 
critical infrastructure. 

More than 50 statutes address various aspects of cybersecurity either directly or indirectly, but 
there is no overarching framework legislation in place. While revisions to most of those laws 
have been proposed over the past few years, no major cybersecurity legislation has been enacted 
since 2002. 

Recent legislative proposals, including many bills introduced in recent Congresses, have focused 
largely on issues in 10 broad areas (see “Selected Issues Addressed in Proposed Legislation” for 
an overview of how current legislative proposals would address issues in several of those areas): 

• national strategy and the role of government, 

• reform of the Federal Information Security Management Act (F1SMA), 

• protection of critical infrastructure (including the electricity grid and the 
chemical industry), 

• information sharing and cross-sector coordination, 

• breaches resulting in theft or exposure of personal data such as financial 
information, 

• cybercrime, 

• privacy in the context of electronic commerce, 

• international efforts, 

• research and development, and 

• the cybersecurity workforce. 

For most of those topics, at least some of the bills addressing them have proposed changes to 
current laws. Several of the bills specifically focused on cybersecurity received committee or 
floor action in the 1 12 th and 1 13 th Congresses, but none has become law. In the absence of 
enactment of cybersecurity legislation, the White Flouse issued Executive Order 1336, with 
provisions on protection of critical infrastructure, including information sharing and standards 
development. 

Comprehensive legislative proposals on cybersecurity that received considerable attention in 
2012 are The Cybersecurity Act of 2012 (CSA2012, S. 2105, reintroduced in revised form as S. 
3414), recommendations from a Flouse Republican task force, and a proposal by the Obama 
Administration. They differed in approach, with S. 2105 proposing the most extensive regulatory 
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framework and organizational changes, and the task force recommendations focusing more on 
incentives for improving private-sector cybersecurity. An alternative to S. 2105 and S. 3414, S. 
3342 (a refinement of S. 2151), did not include enhanced regulatory authority or new federal 
entities, but did include cybercrime provisions. S. 3414 was debated in the Senate but failed two 
cloture votes. 

Several narrower House bills would address some of the issues raised and recommendations 
made by the House task force. Four passed the House in 2012 but were not considered by the 
Senate. They were reintroduced in passed the House again, with some amendments, in April 
2013: 

• Cyber Intelligence Sharing and Protection Act (H.R. 624), which focuses on 
information sharing and coordination, including sharing of classified 
information; 

• Cybersecurity Enhancement Act of 2013 (H.R. 756), which addresses federal 
cybersecurity R&D and the development of technical standards; 

• Advancing America’s Networking and Information Technology Research and 
Development Act of 2013 (H.R. 967), which addresses R&D in networking and 
information technology, including but not limited to security; and 

• Federal Information Security Amendments Act of 2012 (H.R. 1163), which 
addresses F1SMA reform. 

One bill from the 1 12 th Congress was ordered reported out of the full committee but did not come 
to the floor: 

• Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness 
Act of 201 1 or PRECISE Act of 201 1 (H.R. 3674), which addressed the role of 
the Department of Homeland Security in cybersecurity, including protection of 
federal systems, personnel, R&D, information sharing, and public/private sector 
collaboration in protecting critical infrastructure. 

Together, those House and Senate bills have addressed most of the issues listed above, although 
in different ways. All include proposed revisions to some existing laws covered in this report. 
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Introduction 

For more than a decade, various experts have expressed concerns about information-system 
security — often referred to as cybersecurity — in the United States and abroad. 1 The frequency, 
impact, and sophistication of attacks on those systems have added urgency to the concerns. 2 
Consensus has also been growing that the current legislative framework for cybersecurity might 
need to be revised to address needs for improved cybersecurity, especially given the continuing 
evolution of the technology and threat environments. This report, with contributions from several 
CRS staff (see Acknowledgments), discusses that framework and proposals to amend more than 
30 acts of Congress that are part of or relevant to it. For a CRS compilation of reports and other 
resources on cybersecurity, see CRS Report R42507, Cybersecurity : Authoritative Reports and 
Resources, by Rita Tehan. For additional selected CRS reports relevant to cybersecurity, see CRS 
Issues Before Congress: Cybersecurity. 



Current Legislative Framework 

The federal role in addressing cybersecurity is complex. It involves both securing federal systems 
and fulfilling the appropriate federal role in protecting nonfederal systems. There is as yet no 



1 The term information systems is defined in 44 U.S.C. §3502 as “a discrete set of information resources organized for 
the collection, processing, maintenance, use, sharing, dissemination, or disposition of information,” where information 
resources is “information and related resources, such as personnel, equipment, funds, and information technology.” 
Thus cybersecurity, a broad and arguably somewhat fuzzy concept for which there is no consensus definition, might 
best be described as measures intended to protect information systems — including technology (such as devices, 
networks, and software), infonnation, and associated personnel — from various forms of attack. The concept has, 
however, been characterized in various ways. For example, the interagency Committee on National Security Systems 
has defined it as “the ability to protect or defend the use of cyberspace from cyber attacks,” where cyberspace is 
defined as “a global domain within the infonnation environment consisting of the interdependent network of 
information systems infrastructures including the Internet, telecommunications networks, computer systems, and 
embedded processors and controllers” (Committee on National Security Systems, National Information Assurance (IA) 
Glossary, April 2010, http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf). In contrast, cybersecurity has also been defined 
as synonymous with information security (see, for example, S. 773, the Cybersecurity Act of 2010, in the 1 1 1 th 
Congress), which is defined in current law (44 U.S.C. §3532(b)(l )) as 

protecting infonnation and infonnation systems from unauthorized access, use, disclosure, disruption, 
modification, or destruction in order to provide — 

(A) integrity, which means guarding against improper information modification or destruction, and 
includes ensuring infonnation nonrepudiation and authenticity; 

(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including 
means for protecting personal privacy and proprietary infonnation; 

(C) availability, which means ensuring timely and reliable access to and use of information; and 

(D) authentication, which means utilizing digital credentials to assure the identity of users and validate their 
access. 

2 See, for example, IBM, IBM X-Force® 2011 Mid-year Trend and Risk Report, September 2011, 
http://public.dhe.ibm.coin/common/ssi/ecm/en/wgl03009usen/WGL03009USEN.PDF; Barbara Kay and Paula Greve, 
Mapping the Med Web IV (McAfee, September 28, 2010), http://us.mcafee.com/en-us/local/docs/MTMW_Report.pdf; 
Office of the National Counterintelligence Executive, Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: 
Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011, 
http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_20 1 1 .pdf; Symantec, Symantec 
Internet Security Threat Report: Trends for 2010, Volume 16, April 2011, https://www4.symantec.com/mktginfo/ 
downloads/2 1 1 82883_GA_REPORT_ISTR Main-Report_04- 1 l_HI-RES.pdf. 
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overarching framework legislation in place, but many enacted statutes address various aspects of 
cybersecurity. Some notable provisions are in the following acts: 

• The Counterfeit Access Device and Computer Fraud and Abuse Act of 1 984 
prohibits various attacks on federal computer systems and on those used by ha nk s 
and in interstate and foreign commerce. 

• The Electronic Communications Privacy Act of 1986 (ECPA) prohibits 
unauthorized electronic eavesdropping. 

• The Computer Security Act of 1987 gave the National Institute of Standards and 
Technology (NIST) responsibility for developing security standards for federal 
computer systems, except the national security systems ' that are used for defense 
and intelligence missions, and gave responsibility to the Secretary of Commerce 
for promulgating security standards. 

• The Paperwork Reduction Act of 1995 gave the Office of Management and 
Budget (OMB) responsibility for developing cybersecurity policies. 

• The Clinger-Cohen Act of 1996 made agency heads responsible for ensuring the 
adequacy of agency information-security policies and procedures, established the 
chief information officer (CIO) position in agencies, and gave the Secretary of 
Commerce authority to make promulgated security standards mandatory. 

• The Homeland Security Act of 2002 (HSA) gave the Department of Homeland 
Security (DHS) some cybersecurity responsibilities in addition to those implied 
by its general responsibilities for homeland security and critical infrastructure. 

• The Cyber Security Research and Development Act, also enacted in 2002, 
established research responsibilities in cybersecurity for the National Science 
Foundation (NSF) and NIST. 

• The E-Government Act of 2002 serves as the primary legislative vehicle to guide 
federal IT management and initiatives to make information and services available 
online, and includes various cybersecurity requirements. 

• The Federal Information Security Management Act of 2002 (F1SMA) clarified 
and strengthened NIST and agency cybersecurity responsibilities, established a 
central federal incident center, and made OMB, rather than the Secretary of 
Commerce, responsible for promulgating federal cybersecurity standards. 

More than 40 other laws identified by CRS also have provisions relating to cybersecurity (see 
Table 2). Revisions to many of those laws have been proposed. Many cybersecurity bills and 
resolutions have been introduced in the last three Congresses, more than a dozen in the 1 13 th 
Congress, over 40 in the 1 12 th , and more than 60 in the 1 1 1 th . 4 Several have proposed revisions to 



3 This tern is defined in 44 U.S.C. §3542(b)(2). 

4 Those bills were identified through a two-step process — candidates were found through searches of the Legislative 
Information System (LIS, http://www.congress.gov) using “cybersecurity,” “information systems,” and other relevant 
terns in the text of the bills, followed by examination of that text in the candidates to determine relevance for 
cybersecurity. Use of other criteria may lead to somewhat different results. For example, using the LIS “cybersecurity” 
topic search yields about 30 bills in the 1 12 th Congress and 40 in the 1 1 1 th , with about a 50% overlap in the bills 
included. While that difference is higher than might be expected, none of the bills identified uniquely by the LIS topic 
search are relevant to the discussion in this report. 
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current laws, and several received committee or floor action, but none have become law. In fact, 
no comprehensive cybersecurity legislation has been enacted since 2002. 5 



Executive Branch Actions 

Some significant executive actions have been taken, however. 6 The George W. Bush 
Administration established the Comprehensive National Cybersecurity Initiative (CNCI) in 2008 
through National Security Presidential Directive 54 / Homeland Security Presidential Directive 
23 (NSPD-54/HSPD-23). Those documents are classified, but the Obama Administration released 
a description of them in March 2010. 7 Goals of the 12 subinitiatives in that description include 
consolidating external access points to federal systems; deploying intrusion detection and 
prevention systems across those systems; improving research coordination and prioritization and 
developing “next-generation” technology, information sharing, and cybersecurity education and 
awareness; mitigating risks from the global supply chain for information technology; and 
clarifying the federal role in protecting critical infrastructure. 

In December 2009, the Obama Administration appointed Howard Schmidt to the position of 
White House Cybersecurity Coordinator. 8 He was a member of the White House national security 
staff and was responsible for government -wide coordination of cybersecurity, including the 
CNCI. One of the most visible initiatives in which he was involved was the implementation of 
automated, continuous monitoring of federal information systems. 9 Other stated priorities 
included developing a unified strategy for network security and incident response, and 
strengthening partnerships with the private sector and other countries. He worked with both the 
National Security and Economic Councils in the White House. However, the position has no 
direct control over agency budgets, and some observers argue that operational entities such as the 
National Security Agency (NS A) have far greater influence and authority. 10 He was succeeded by 
Michael Daniel in May 2012. 

The Obama Administration has also launched several initiatives, 11 including Executive Order 
13636, Improving Critical Infrastructure Cybersecurity , 12 It expands an existing program for 



5 Among the broader proposals in the 11 1 th Congress, S. 773 (S.Rept. 111-384) and S. 3480 (S.Rept. 1 1 1-368) were 
reported by the originating committees. H.R. 4061 (H.Rept. 1 1 1-405) and H.R. 5136 (Title XVII, mostly similar to 
H.R. 4900) both passed the House. A bill combining provisions of the two Senate bills was drafted (Tony Romm, 
“Lack of Direction Slows Cybersecurity,” Politico , November 4, 2010, http://www.politico.eom/news/stories/l 110/ 
44662.html). In the 1 12 th Congress, S. 413 is similar to S. 3480 in the previous Congress, H.R. 756 (H.Rept. 1 12-264) 
is similar to H.R. 4061, and the Senate combined bill, S. 2105, includes elements of S. 773, S. 413, S. 2102, and a 
proposal put forward by the White House in April 2011 (see below). 

6 This update does not include executive branch actions taken since December 2011. 

7 The White House, “The Comprehensive National Cybersecurity Initiative,” March 5, 2010, 

http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative. For additional information 
about this initiative and associated policy considerations, see CRS Report R40427, Comprehensive National 
Cybersecurity Initiative: Legal Authorities and Policy Considerations , by John Rollins and Anna C. Henning. 

8 The position has been popularly called the “cyber czar.” 

9 Jeffrey Zients, Vivek Kundra, and Howard A. Schmidt, “FY 2010 Reporting Instructions for the Federal Information 
Security Management Act and Agency Privacy Management,” Office of Management and Budget, Memorandum for 
Heads of Executive Departments and Agencies M-10-15, April 21, 2010, http://www.whitehouse.gov/omb/assets/ 
memoranda_20 1 0/m 1 0- 1 5 .pdf. 

10 See, for example, Seymour M. Hersh, “Judging the cyber war terrorist threat,” The New Yorker , November 1, 2010, 
http://www.newyorker.com/ reporting/20 10/11/01/101101 fa _fact_hersh?currentPage=all . 

1 1 Among them are White House strategies to improve the security of Internet transactions (The White House, National 
(continued...) 



Congressional Research Service 



3 




Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions 



information sharing and collaboration between the government and the private sector, establishes 
a process for identifying critical infrastructure (Cl) with especially high priority for protection, 
requires NIST to lead in developing a framework of cybersecurity standards and best practices for 
protecting Cl; and requires regulatory agencies to determine the adequacy of current requirements 
and their authority to establish requirements to address the risks. 13 A companion presidential 
policy directive (PPD-21) revises other aspects of policy relating to Cl security with the aim of 
improving integration and efficiency, among other goals. 14 

Under current law, all federal agencies have cybersecurity responsibilities relating to their own 
systems, and many have sector-specific responsibilities for critical infrastructure, such as the 
Department of Transportation for the transportation sector. Cross-agency responsibilities are 
complex, and any brief description is necessarily oversimplified. In general, in addition to the 
roles of White House entities, DHS is the primary civil-sector cybersecurity agency. NIST, in the 
Department of Commerce, develops cybersecurity standards and guidelines that are promulgated 
by OMB, and the Department of Justice is largely responsible for the enforcement of laws 
relating to cybersecurity. 15 The National Science Foundation (NSF), NIST, and DHS all perform 
research and development (R&D) related to cybersecurity. The National Security Agency (NSA) 
is the primary cybersecurity agency in the national security sector, although other agencies also 
play significant roles. The recently established U.S. Cyber Command, part of the U.S. Strategic 
Command in the Department of Defense (DOD), has primary responsibility for military 
cyberspace operations. 



Legislative Proposals 

In general, legislative proposals on cybersecurity in recent Congresses have focused largely on 
issues in 10 broad areas: 

• national strategy and the role of government, 

• reform of F1SMA, 

• protection of critical infrastructure (especially the electricity grid and the 
chemical industry), 



(...continued) 

Strategy for Trusted Identities in Cyberspace, April 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/ 
NSTICstrategy_04151 l.pdf) and to coordinate international efforts (The White House, International Strategy for 
Cyberspace, May 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/ 

intemational_strategy_for_cyberspace.pdf), and an executive order on sharing and security for classified information 
(Executive Order 13587, “Structural Reforms to Improve the Security of Classified Networks and the Responsible 
Sharing and Safeguarding of Classified Information,” Federal Register 76, no. 198 (October 13, 201 1): 63811-63815, 
http://www.gpo.gov/fdsys/pkg/FR-20 11-10-1 3/pdf/20 1 1 -26729.pdf). 

" Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” Federal Register 78, no. 33 (February 19, 
2013): 11737-11744. 

13 For more infonnation, see CRS Report R42984, The 2013 Cybersecurity Executive Order: Over-view and 
Considerations for Congress, by Eric A. Fischer et al. 

14 The White House, “Critical Infrastructure Security and Resilience,” Presidential Policy Directive 21, February 12, 
2013, http://www.whitehouse.gOv/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure- 
security-and-resil. 

15 This responsibility is shared to some extent with other agencies such as the U.S. Secret Service. 
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• information sharing and cross-sector coordination, 

• breaches resulting in theft or exposure of personal data such as financial 
information, 

• cybercrime offenses and penalties, 

• privacy in the context of electronic commerce, 

• international efforts, 

• research and development (R&D), and 

• the cybersecurity workforce. 

For most of those topics, at least some of the bills addressing them proposed changes to current 
laws. 16 

Despite the lack of enactment of cybersecurity legislation in the 1 12 th Congress, there still appears 
to be considerable support in principle for significant legislation to address most of the issues 
identified above. The House, Senate, and White House have taken somewhat different approaches 
to such legislation. 

Selected Legislative Proposals in the 112 th and 113 th Congresses 

The Senate worked over two years on a comprehensive bill synthesizing approaches proposed by 
the Homeland Security and Governmental Affairs Committee (S. 3480 in the 1 1 1 th Congress and 
S. 413 in the 1 12 th ), the Commerce, Science, and Transportation Committee (S. 773 in the 1 1 1 th 
Congress), and others. S. 2105, the Cybersecurity Act of 2012, which included features of both 
those bills and others, 17 was introduced in February 2012. Arevised version, S. 3414, also known 
as CSA2012, was introduced in July. An alternative Senate bill, S. 3342, the SECURE IT Act, 18 
was a revision of S. 2151, which was originally introduced in March. 19 Several other Senate bills 
would have addressed specific aspects of cybersecurity, such as data breaches of personal 
information and cybercrime. S. 3342 was debated in the Senate in July. A cloture motion failed on 
August 2, 2012, and again on November 14. The Senate is expected to consider cybersecurity 
legislation again in the 1 13 th Congress. 

In April 2011, the White House sent a comprehensive, seven-part legislative proposal ( White 
House Proposal ) to Congress. 20 Some elements of that proposal were included in both House and 
Senate bills. Reports of a possible executive order circulated after S. 3342 failed to reach cloture 



16 For specific analysis of legal issues associated with several of the bills being debated in the 1 12 th Congress, see CRS 
Report R42409, Cybersecurity: Selected Legal Issues, by Edward C. Liu et al. 

17 The title on infonnation sharing is similar to S. 2102. 

ls SECURE IT is an acronym for Strengthening and Enhancing Cybersecurity by Using Research, Education, 
Infonnation and Technology. 

19 A very similar but not identical bill, H.R. 4263, was introduced in the House April 9. It is not discussed separately in 
this update. 

20 The White House, Complete Cybersecurity Proposal, 201 1, http://www.whitehouse.gov/sites/default/files/omb/ 
legislative/letters/law-enforcement-provisions-related-to-computer-security-full-bill.pdf. One part does not appear to be 
directly related to cybersecurity. It would restrict the authority of state and local jurisdictions with respect to the 
location of commercial data centers. 
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in August 2012. 21 Opposition to such an action was expressed by some Members of Congress, 
citing reasons relating to potential impacts on legislative efforts, the private sector, and 
international negotiations. 22 E.O. 13636 was released in February 2013. 

In the House of Representatives, on October 2011, the 1 2-Member House Republican 
Cybersecurity Task Force, which had been formed by Speaker Roehner in June, released a series 
of recommendations {Task Force Report) to be used by House committees in developing 
cybersecurity legislation. 23 Unlike the other proposals, it was not presented in the form of a bill or 
bills. Several House bills were introduced subsequently that addressed some of the issues raised 
and recommendations made by the Task Force Report. Four passed the House the week of April 
23,2012: 

• Cybersecurity Enhancement Act of 201 1 (H.R. 2096), which addressed federal 
cybersecurity R&D and the development of technical standards; 

• Cyber Intelligence Sharing and Protection Act (H.R. 3523), which focused on 
information sharing and coordination, including sharing of classified 
information; 24 

• Advancing America’s Networking and Information Technology Research and 
Development Act of 2012 (H.R. 3834), which addressed R&D in networking and 
information technology, including but not limited to security; 25 and 

• Federal Information Security Amendments Act of 2012 (H.R. 4257), which 
addressed F1SMA reform. 

Those bills were all reintroduced in the 1 13 th Congress and passed the House, with some 
amendments, in April 2013: 

• Cybersecurity Enhancement Act of 20 1 3 (H.R. 756); 

• Cyber Intelligence Sharing and Protection Act (H.R. 624); 



21 Josh Smith, “GOP Senators Assail White House for Pushing Executive Order on Cybersecurity,” Nextgov, 

September 14, 2012, http://www.nextgov.com/cybersecurity/2012/09/gop-senators-assail-white-house-pushing- 
executive-order-cybersecurity/58123/; Jaikumar Vijayan, “Obama to Issue Cybersecurity Executive Order This 
Month,” Computerworld: Cyberwarfare, February 1, 2013, http://www.computerworld.eom/s/article/9236438/ 
Obama_to_issue_cybersecurity_executive_order_this_month?source=CTWNLE_nlt_pm_20 1 3-02-0 1 . 

22 The Honorable Fred Upton et al. to President Barack Obama, October 11, 2012, http://energycommerce.house.gov/ 
sites/republicans. energycommerce.house.gov/files/letters/2012101 lCybersecurity.pdf; Senate Committee on Homeland 
Security and Government Affairs, “Senators Collins, Snowe, and Lugar to White House: Refrain from Executive Order 
on Cybersecurity,” Press Release, October 10, 2012, http://www.hsgac.senate.gov/media/minority-media/senators- 
collins-snowe-and-lugar-to-white-house-refrain-from-executive-order-on-cybersecurity. 

23 House Republican Cybersecurity Task Force, Recommendations of the House Republican Cybersecurity Task Force, 
October 5, 201 1, http://thomberry.house.gov/UploadedFiles/CSTF_Final_Recommendations.pdf. 

24 The Obama Administration has objected to this bill, claiming that it does not address cybersecurity needs for critical 
infrastructure, and contains overly broad liability protections for private-sector entities and insufficient protections for 
individual privacy, confidentiality, and civil liberties (The White House, "H.R. 3523 — Cyber Intelligence Sharing and 
Protection Act,” Statement of Administration Policy, April 25, 2012, http://www.whitehouse.gov/sites/default/files/ 
omb/legislative/sap/1 12/saphr3523r_20120425.pdf). The Administration has not released statements of administration 
policy for any of the other bills discussed in this report. 

25 For discussion of this bill and H.R. 756, see also CRS Report RL33586, The Federal Networking and Information 
Technology Research and Development Program: Background. Funding, and Activities, by Patricia Moloney Figliola. 



Congressional Research Service 



6 




Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions 



• Advancing America’s Networking and Information Technology Research and 
Development Act of 2013 (H.R. 967); and 

• Federal Information Security Amendments Act of 20 1 3 (H.R. 1163). 

A fifth 2012 bill was ordered reported out of full committee on April 18 but received no floor 
consideration in the 1 12 th Congress: 26 

• Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness 
Act of 201 1 or PRECISE Act of 201 1 (H.R. 3674), which addressed the role of 
the Department of Homeland Security in cybersecurity, including protection of 
federal systems, personnel, R&D, information sharing, and public/private sector 
collaboration in protecting critical infrastructure. 

Specific issues addressed by several of those bills and proposals are noted in Table 1 . The table 
and subsequent discussion includes H.R. 3674, S. 2105, S. 2151, S. 3342, and S. 3414, from the 
1 12 th Congress, and H.R. 624, H.R. 756, H.R. 967, and H.R. 1163 from the 1 13 th Congress. The 
Task Force Report and White House Proposal are also considered. Together, those proposals 
address most of the issues listed above, although in different ways. All included or discussed 
proposed revisions to some existing laws covered in this report. 



Table I. Comparison ofTopics Addressed by Selected Legislative Proposals 
on Cybersecurity in the I 1 2 th and I 1 3 th Congress 



Topic 


Selected 

House 

Bills 


Task 

Force 

Report 


S. 2105 


S. 3414 


S. 3342 
(S. 2151) 


White 

House 

Proposal 


DHS authorities for protection 
of federal systems 


H.R. 

3674a 


X 


X 


X 




X 


New DHS office/center 


H.R. 3674 




X 


X 




X 


Cybersecurity workforce 
authorities and programs 


H.R. 756 
H.R. 967 
H.R. 3674 


X 


X 


X 


X 


X 


Supply-chain vulnerabilities 


H.R. 3674 


X 


X 


X 




X 


Cybersecurity R&D 


H.R. 756 
H.R. 967 
H.R. 3674 


X 


X 


X 


X 


X 


FISMA reform 


H.R. 1 163 


X 


X 


X 


X 


X 


Protection of privately held 
critical infrastructure (Cl) 


H.R. 3674 


X 


X b 


Xb 




X 


Government/private-sector 


H.R. 3674 


X 


X 


X 




X 



collaboration on Cl protection 



H.R. 3674 was marked up by the Subcommittee on Cybersecurity, Infrastructure Protection, and Security 
Technologies of the Committee on Homeland Security on February 1 and forwarded to the full committee, which 
substantially amended the bill in its April 18 markup and was reported by the committee on July 1 1 (see H.Rept. 1 12- 
592). The committee may consider cybersecurity legislation again in the 1 13 th Congress. 
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Topic 


Selected 

House 

Bills 


Task 

Force 

Report 


S. 2105 


S. 3414 


S. 3342 
(S. 2151) 


White 

House 

Proposal 


Additional regulation of 
privately held critical 
infrastructure 




X 


X 


X 




X 


Information sharing 


H.R. 624 
H.R. 3674 


X 


X 


X 


X 


X 


FOIA exemption for 
cybersecurity information 


H.R. 624 


X 


X 


X 


X 


X 


New information-sharing 
entities 


(H.R. 
367 4p 


X 


X 


X 






Public awareness 


H.R. 756 


X 


X 


X 




X 


Cybercrime law 




X 






X 


X 


Data breach notification 




X 








X 


Internet security provider 
code of conduct 




X 










National security/defense and 




X 











federal civil sector 
coordination 



Source: CRS. 

Note: S. 3342 was a revised version of S. 2151, and S. 3414 was a revised version of S. 2105. 

a. Bills listed in italics are from the I 12 th Congress and are included in the absence of similar or corresponding 
bills in the I 13 th Congress. 

b. S. 3414 would have permitted regulatory agencies to adopt certain cybersecurity practices as mandatory 
requirements, but did not provide regulatory authority beyond that in other law. S. 2105 would have 
provided the Secretary of Homeland Security with new regulatory authority for cybersecurity. 

c. The subcommittee version of this bill would have created a new nonprofit quasi-governmental information- 
sharing entity, but the committee version omitted those provisions (see “Information Sharing” below). 

Those addressed in the House bills are 

• “Cyber Security Research and Development Act, 2002” (H.R. 756, S. 2105, S. 

2151, S. 3342, S. 3414); 

• “Federal Information Security Management Act of 2002 (F1SMA)” (H.R. 1 163, 
the Task Force Report, S. 2105, S. 2151, S. 3342, S. 3414, the White House 
Proposal)', 

• “High Performance Computing Act of 1991” (H.R. 967, S. 2105, S. 2151, S. 

3342, S. 3414) 

• “Homeland Security Act of 2002 (HSA)” (H.R. 3674, S. 2105, S. 3414, the White 
House Proposal)', and 

• “National Security Act of 1947” (H.R. 624). 

Those addressed in other legislative proposals are 
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• “Antitrust Laws and Section 5 of the Federal Trade Commission Act” ( Task 
Force Report, S. 2151, S. 3342) 

• “Clinger-Cohen Act (Information Technology Management Reform Act) of 
1996” (S. 2105, S. 3414, White House Proposal)-, 21 

• “Counterfeit Access Device and Computer Fraud and Abuse Act of 1984” (Task 
Force Report, S. 2151, S. 3342, White House Proposal)', 

• “E-Govemment Act of 2002” ( White House Proposal)', 

• “Electronic Communications Privacy Act of 1986 (ECPA)” (Task Force Report)', 

• “Identity Theft Penalty Enhancement Act” ( Task Force Report)', and 

• “Racketeer Influenced and Corrupt Organizations Act (RICO)” (Task Force 
Report). 

Also, some legislative proposals would provide exemptions under the “Freedom of Information 
Act (FOIA)” for certain kinds of information provided to the federal government (Task Force 
Report, H.R. 624, S. 2105, S. 2151, S. 3342, S. 3414, White House Proposal). H.R. 624, S. 2151, 
and S. 3342 would also permit information sharing that might otherwise be subject to antitrust or 
other restrictions on sharing, 2S and the Task Force Report stated that an antitrust exemption might 
be necessary. 

Selected Issues Addressed in Proposed Legislation 

The proposals listed in Table 1 take a range of approaches to address issues in cybersecurity. The 
discussion below compares those approaches for several issues — “DHS Authorities for Protection 
of Federal Systems,” the “Cybersecurity Workforce,” “Research and Development,” “FISMA 
Reform,” “Protection of Privately Held Critical Infrastructure (Cl),” and “Information Sharing.” 
For discussion of legal issues associated with protection of federal systems, critical infrastructure, 
and information sharing, see CRS Report R42409, Cybersecurity: Selected Legal Issues, by 
Edward C. Liu et al. 

DHS Authorities for Protection of Federal Systems 

DHS currently has very limited statutory responsibility for the protection of federal information 
systems. The degree to which its role should be modified has been a matter of some debate. Five 
of the legislative proposals listed in Table 1 addressed DHS authorities for federal civil systems. 29 
All five bills would have enhanced DHS authorities, although to varying degrees and in varying 
ways. 

The Task Force Report proposed that Congress “formalize” DHS’s current coordinating role in 
cybersecurity. H.R. 3674 would have added new provisions on DHS cybersecurity activities to 



27 See also “Federal Infonnation Security Management Act of 2002 (FISMA).” 

2S See CRS Report R42409, Cybersecurity: Selected Legal Issues for more detail. 

29 As used here, civil systems means federal information systems other than national security systems (defined in 44 
U.S.C. §3542) and mission-critical Department of Defense and Intelligence Community systems (i.e., compromise of 
those systems “would have a debilitating impact on the mission” of the agencies [see 44 U.S.C. 3543(c)]). 
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Title II of HSA; S. 2105, S. 3414, and the White House Proposal would have added a new subtitle 
to HSA. All four proposals would have provided specific authorities and responsibilities to DHS 
for risk assessments, protective capabilities, and operational cybersecurity activities. 

S. 2105 and S. 3414 had similar provisions that would have created a new, consolidated DHS 
cybersecurity and communications center with a Senate-confirmed director who would be 
responsible for managing federal cybersecurity efforts; for developing and implementing 
information-security policies, principles, and guidelines; and other functions, including risk 
assessments and other activities to protect federal systems. The White House Proposal would 
have provided such enhanced authority to the DHS Secretary rather than a new center. However, 
the White House Proposal would have required the Secretary to establish a center with 
responsibilities for protecting federal information systems, facilitating information sharing, and 
coordinating incident response. H.R. 3674 would have established a DHS center with 
responsibility for information sharing (see “Information Sharing”) and technical assistance, and 
would have authorized DHS to conduct specific activities to protect federal systems, including 
risk assessments and access to agency information-system traffic. 

S. 2151 would not have amended the HSA but would have provided the Secretary of Homeland 
Security with new responsibilities under FISMA. S. 3342 omitted some of those responsibilities 
and modified others (see “FISMA Reform”). 

Cybersecurity Workforce 

Concerns have been raised for several years about the size, skills, and preparation of the federal 
and private-sector cybersecurity workforce. 3 ' 1 Six proposals in Table 1 would address those 
concerns in various ways: 

• Provide additional federal hiring and compensation authorities ( Task Force 
Report, H.R. 3674, S. 2105, S. 3414, White House Proposal). 

• Establish or enhance educational programs for development of next-generation 
cybersecurity professionals 31 (Task Force Report, H.R. 756, H.R. 967, S. 2105, S. 

3414, S. 2151, S. 3342). 

• Assess workforce needs (H.R. 756, S. 2105, S. 3414, S. 2151, S. 3342). 



30 See, for example, CSIS Commission on Cybersecurity for the 44 th Presidency, Securing Cyberspace for the 44 ,b 
Presidency, December 2008, http://www.csis.org/tech/cyber/; Partnership for Public Service and Booz Allen Hamilton, 
Cyber IN-Security: Strengthening the Federal Cybersecurity Wortforce , July 2009, http://ourpublicservice.org/OPS/ 
publications/download.php?id=135; CSIS Commission on Cybersecurity for the 44 th Presidency, A Human Capital 
Crisis in Cybersecurity, July 2010, http://csis.org/files/publication/ 
100720_Lewis_HumanCapital_WEB_BlkWhteVersion.pdf. 

31 This includes providing requirements or statutory authority for existing programs, such as the joint NSF/DHS 
Scholarship-for Service Program (see Office of Personnel Management, “Federal Cyber Service: Scholarship For 
Service,” n.d., https://www.sfs.opm.gov/; National Science Foundation, Federal Cyber Service: Scholarship for Service 
(SFS), NSF 08-600, Program Solicitation, December 2, 2008, http://www.nsf.gov/pubs/2008/nsf08600/nsf08600.htm), 
the NSA/DHS National Centers of Academic Excellence and National Security Agency (“National Centers of 
Academic Excellence,” January 10, 2012, http://www.nsa.gov/ia/academic_outreach/nat_cae/index.shtml), and the U.S. 
Cyber Challenge (National Board of Information Security Examiners, “US Cyber Challenge,” 2012, 
https://www.nbise.org/uscc). 
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• Use public/private-sector personnel exchanges ( Task Force Report, White House 
Proposal). 

The workforce-related provisions in S. 2105 and S. 3414 were largely identical. The latter omitted 
some education provisions involving the Secretary of Education but added an initiative on state 
and local education and training. 

Research and Development 

The need for improvements in fundamental knowledge of cybersecurity and new solutions and 
approaches has been recognized for well over a decade ' 2 and was a factor in the passage of the 
Cybersecurity Research and Development Act in 2002 (RL. 107-305, H.Rept. 107-355). That law 
focuses on cybersecurity R&D by NSF and NIST. The Homeland Security Act of 2002, in 
contrast, does not specifically mention cybersecurity R&D. However, DHS and several other 
agencies make significant investments in it. About 60% of reported funding by agencies in 
cybersecurity and information assurance is defense-related (invested by the Defense Advanced 
Research Projects Agency [DARPA], NS A, and other defense agencies), with NSF accounting for 
about 15%, NIST, DHS, and DOE 5%-10% each. 33 Seven of the nine legislative proposals in 
Table 1 address cybersecurity R&D. Five would establish requirements for R&D on specific 
topics such as detection of threats and intrusions, identity management, test beds, and supply- 
chain security. Agencies for which the proposals include provisions specifying research topics or 
providing funding authorization are 

• DHS (H.R. 3674, S. 2105, S. 3414), 

• NIST (H.R. 756, S. 2151, S. 3342), 

• NSF (H.R. 756, S. 2105, S. 2151, S. 3342, S. 3414), and 

• Multiagency 34 (H.R. 967, S. 2105, S. 2151, S. 3342, S. 3414). 

The Task Force Report, H.R. 756, H.R. 967, S. 2105, S. 2151, S. 3342, and S. 3414 addressed 
planning and coordination of research among federal agencies through the White House National 
Science and Technology Council (NSTC) and other entities. The White House Proposal did not 
include any specific R&D provisions but included cybersecurity R&D among a set of proposed 
requirements for the Secretary of Homeland Security. 

FISMA Reform 

The “Federal Information Security Management Act of 2002 (FISMA)” was enacted in 2002. It 
revised the framework that had been enacted in several previous laws (see Table 2). FISMA has 



32 See, for example. National Research Council, Trust in Cyberspace (Washington, DC: National Academies Press, 
1999), http://www.nap.edu/catalog/6161.html. 

33 The percentages were calculated from data in Subcommittee on Networking and Information Technology Research 
and Development, Committee on Technology, Supplement to the President ’s Budget for Fiscal Year 2013: The 
Networking and Information Technology Research and Development Program, February 2012, http://www.nitrd.gov/ 
PUBS%5C2013supplement%5CFY13NITRDSupplement.pdf. The total investment for FY201 1 was $445 million. 
However, agencies may perform additional research not reported as cybersecurity R&D (e.g., some research on 
software design or high-confidence systems). 

34 For example, through the Director of the Office of Science and Technology Policy (OSTP). 
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been criticized for focus on procedure and reporting rather than operational security, a lack of 
widely accepted cybersecurity metrics, variations in agency interpretation of the mandates in the 
act, excessive focus on individual information systems as opposed to the agency’s overall 
information architecture, and insufficient means to enforce compliance both within and across 
agencies. Seven legislative proposals in the 112 th Congress (the Task Force Report, H.R. 1163, S. 
2105, S. 2151, S. 3342, S. 3414, and the White House Proposal) would revise F1SMA, while 
retaining much of the current framework: 

• All would continue requirements for agency-wide information security programs, 
annual independent review of security programs, and reports on program 
effectiveness and deficiencies. 

• All include requirements for continuous monitoring of agency systems, including 
automated monitoring. 

• All would retain the responsibility of NIST for development of cybersecurity 
standards, including compulsory standards. H.R. 1163 would retain OMB ’s 
current responsibility for promulgating the standards, whereas S. 2 1 05, S. 2 1 5 1 , 

S. 3342, S. 3414, and the White House Proposal would have transferred that 
responsibility to the Secretary of Commerce. 35 

• H.R. 1163 would also retain OMB’s current responsibility for overseeing federal 
information-security policy and evaluating agency information-security 
programs. S. 2105, S. 3414, and the White House Proposal would have 
transferred authorities and functions for information security policy from OMB 
to DHS. OMB has already delegated some authorities to DHS administratively, 36 
and the Task Force Report expressed support for that approach. S . 2 1 5 1 and S . 

3342, in contrast, would have transferred that responsibility to the Secretary of 
Commerce. However, none of the proposals would have given the Secretaries of 
Commerce or Homeland Security authority to approve or disapprove agency 
information security plans. Only H.R. 1163 would expressly retain OMB’s 
current power to use its financial authority to enforce accountability. 

• S. 2105, S. 3414, and the White House Proposal would have provided new 
protective authorities to the Secretary of Homeland Security, including intrusion 
detection, use of countermeasures, access to communications and other system 



35 This authority had been granted to the Secretary of Commerce under the Clinger-Cohen Act of 1996 (P.L. 104-106) 
but was transferred to the Director of OMB by the FISMA title in the HSA in 2002 (P.L. 107-296, Section 1002, 40 
U.S.C. §11331). Note that the version of the Chapter 35 provisions that is currently in effect (Subchapter III) was 
enacted by the FISMA title in the E-Government Act of 2002 (P.L. 107-347, Title III), but that is not the case for 40 
U.S.C. §11331, for which the version in the E-Government Act would have retained the authority of the Secretary of 
Commerce to promulgate those standards, even though it was enacted after the FISA. The reason for this potentially 
confusing difference appears to be that (1) the effective date of FISA was later than that of the E-Government Act, and 
(2) FISA changed 44 U.S.C. Chapter 35 by amending the existing subchapter II, which the E-Government Act 
explicitly suspended (see also “Federal Information Security Management Act of 2002 (FISMA)”). 

36 See Jeffrey Zients, Vivek Kundra, and Howard A. Schmidt, “FY 2010 Reporting Instructions for the Federal 
Information Security Management Act and Agency Privacy Management,” Office of Management and Budget, 
Memorandum for Heads of Executive Departments and Agencies M-10-15, April 21, 2010, 

http://www.whitehouse.gov/omb/assets/memoranda_2010/ml0-15.pdf; and Peter R. Orszag and Howard A. Schmidt, 
“Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department 
of Homeland Security (DHS),” Office of Management and Budget, Memorandum for Heads of Executive Departments 
and Agencies M-10-28, July 6, 2010, http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/ml0- 
28.pdf. 
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traffic at agencies, as well as the power to direct agencies to take protective 
actions and, in the case of an imminent threat, to act without prior consultation to 
protect agency systems. S. 2151 would have provided DHS a much more limited 
role, requiring it to conduct ongoing security analyses using information 
provided by the agencies. S. 3342 would have given that responsibility instead to 
OMB. 

• Only H.R. 1163 would retain the current F1SMA provision giving OMB 
responsibility for ensuring operation of a federal incident center. However, S. 

2105, S. 3414, and the White House Proposal each contained other provisions 
that would have established centers within DHS that would have provided for 
incident reporting, information sharing, and other cybersecurity activities. S. 

2151 and S. 3342, in contrast, contained provisions to facilitate reporting to a 
number of centers (see “Information Sharing” below). 

Protection of Privately Held Critical Infrastructure (Cl) 

The federal government has identified 18 sectors of critical infrastructure (Cl), 37 much of which is 
owned by the private sector. The federal role in protection of privately held Cl has been one of 
the most contentious issues in the debate about cybersecurity legislation. There appears to be 
broad agreement that additional actions are needed to address the cybersecurity risks to Cl, 38 but 
there is considerable disagreement about how much, if any, additional federal regulation is 
required. Four of the proposals in Table 1 addressed protection of privately held Cl. 

Both S. 2105 and the White House Proposal would have required the Secretary of Homeland 
Security to 

• designate as covered Cl those private-sector Cl entities for which a successful 
cyberattack could have debilitating or catastrophic impacts of national 
significance, 39 with S. 2105 further requiring the Secretary of Homeland Security 
to perform a sector-by-sector risk assessment and use it in prioritizing 
designations, 

• determine what cybersecurity requirements or frameworks are necessary to 
protect them, 

• determine whether additional regulations are necessary to ensure that the 
requirements are met, 



37 See Department of Homeland Security, “Critical Infrastructure”, May 4, 2012, http://www.dhs.gov/files/programs/ 
gc_l 189 168948944. shtm; and CRS Report RL30153, Critical Infrastructures: Background, Policy, and 
Implementation, by John D. Moteff. 

38 See, for example. House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, Examining the Cyber Threat to Critical Infrastructure and the American 
Economy, 2011, http://homeland.house.gov/hearing/ subcommittee-hearing-examining-cyber-threat-critical- 
infrastructure-and-american-economy; Stewart Baker, Natalia Filipiak, and Katrina Timlin, In the Dark: Crucial 
Industries Confront Cyberattacks (McAfee and CSIS, April 21, 201 1), http://www.mcafee.com/us/resources/reports/rp- 
critical-infrastructure-protection.pdf; and R. E. Kahn et al., America ’s Cyber Future: America ’s Cyber Future: Security 
and Prosperity in the Information Age (Center for a New American Security, May 31, 2011), http://www.cnas.org/files/ 
documents/publications/CNAS_Cyber_Volume%20I_0.pdf. 

39 S. 2105 would largely exempt information technology products and services from designation as covered Cl and the 
cybersecurity regulations the bill would authorize. 
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• develop such regulations in consultation with government and private -sector 
entities, and 

• enforce the regulations. 

The regulations proposed by S. 2105 would have required Cl owners and operators, unless 
exempted, 4 " to certify compliance annually, based on self- or third-party assessments, and would 
have provided civil penalties for noncompliance. The Secretary would also have been authorized 
to perform assessments where risks justify such action. 

S. 3414, a revision of S. 2105, would instead have established a federal interagency council to 
perform the risk assessments through a member agency, identified critical cyber infrastructure, 
identified and adopted recommended practices, established incentive-based programs to 
encourage voluntary adoption of those practices by owners and operators, and provided 
information and technical assistance to them. The council would have been required to coordinate 
its activities with relevant private-sector entities. The bill would have permitted federal regulatory 
agencies to require use of adopted practices by Cl entities they regulate, provided that such 
actions are authorized by existing federal law. S. 3414 would also have established a voluntary 
program to certify Cl entities as complying with the adopted practices. It would have required the 
use of third-party assessments and authorize the Council to perform assessments where risks 
justify such action. 

The White House Proposal would have required owners and operators of covered entities, unless 
exempted, 41 to submit and attest to compliance plans, and certify compliance annually. 
Independent evaluations would have been performed on a schedule determined by the Secretary. 
Civil penalties, shutdown orders, and requirements for use of particular measures would have 
been prohibited as enforcement methods. 

The Task Force Report recommended that Congress consider targeted and limited additional 
regulation of highly regulated industries where required to improve cybersecurity, and that 
existing regulations be streamlined. For most Cl, however, the report recommended that Congress 
adopt a menu of voluntary incentives. 42 It also recommended limitations on liability for entities 
that comply. S. 2105, S. 3414, and the White House Proposal would also have limited liability for 
entities in compliance. 

The subcommittee version of H.R. 3674 43 would have amended the HSAto require the Secretary 
of Homeland Security to perform continuous risk assessments of Cl for inclusion annually in the 



40 An entity would be exempted if the Secretary of Homeland Security determined that it was already sufficiently 
secure or that additional requirements would not substantially improve its security (Section 105(c)(4)). The President 
would also be pennitted to exempt an entity from the requirements upon detennining that current regulations 
sufficiently mitigate the risks to the entity (Section 104(f)). 

41 This exemption (Section 9(c) in the part of the proposal on Cl protection) is similar to the Presidential exemption in 
S. 2105 (footnote 40) except that the White House Proposal would give the authority to the Secretary of Homeland 
Security. 

42 Among the possibilities discussed are tying adoption of standards to incentives such as grants and streamlined 
regulation, using tax credits, and facilitating the development of a cybersecurity insurance market. 

43 This is the version approved by voice vote by the Subcommittee on Cybersecurity, Infrastructure Protection, and 
Security Technologies of the House Committee on Homeland Security on February 1, 2012, and forwarded to the full 
committee. 
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National Infrastructure Protection Plan. 44 It would also have required relevant federal regulatory 
agencies to review cybersecurity regulations for covered Cl (as determined by the Secretary) 45 
and fill any gaps using a collection of recognized consensus standards, where applicable, and to 
work with NIST to develop such standards where necessary. It would have prohibited additional 
regulatory authority beyond the collected standards. 

The full-committee version of H.R. 3674 46 would have amended the HSA in a substantially 
different way from the subcommittee version. It would have permitted the Secretary to engage in 
risk assessments and other protective activities with respect to privately held Cl only upon request 
by owners and operators. It would have required the Secretary to develop a cybersecurity strategy 
for Cl systems and stipulates that the bill would not have provided additional authority to DHS 
over federal or nonfederal entities. 

S. 2151 and S. 3342 did not contain specific provisions for protection of Cl similar to those in the 
proposals discussed above. However, they would have provided criminal penalties for damage to 
Cl computers, and, like the proposals discussed above, they contained information sharing 
provisions that could be useful in Cl protection. 

Information Sharing 

Barriers to the sharing of information on threats, attacks, vulnerabilities, and other aspects of 
cybersecurity — both within and across sectors — have long been considered by many to be a 
significant hindrance to effective protection of information systems, especially those associated 
with Cl. 47 Examples have included legal barriers, concerns about liability and misuse, protection 
of trade secrets and other proprietary business information, and institutional and cultural 
factors — for example, the traditional approach to security tends to emphasize secrecy and 
confidentiality, which would necessarily impede sharing of information. 

Proposals to reduce or remove such barriers, including provisions in bills in Table 1 , have raised 
concerns, 4S some of which are related to the purpose of barriers that currently impede sharing. 
Examples include risks to individual privacy and even free speech and other rights, use of 



44 See Department of Homeland Security, National Infrastructure Protection Plan, 2009, http://www.dhs.gov/xlibrary/ 
assets/NIPPPlan.pdf. 

45 The criteria in the subcommittee version of H.R. 3674 are generally similar to those in S. 2105 and the White House 
Proposal in that they focus on entities for which successful cyberattack could have major negative impacts. The 
definitions in the three legislative proposals differ somewhat in emphasis and specificity. 

46 This is the version ordered reported by the Committee on Homeland Security on April 18, 2012. 

47 See, for example. The Markle Foundation Task Force on National Security in the Information Age, Nation At Risk: 
Policy Makers Need Better Information to Protect the Country, March 2009, http://www.markle.org/ 
downloadable_assets/20090304_mtf_report.pdf; CSIS Commission on Cybersecurity for the 44 th Presidency, 
Cybersecurity Two Years Later, January 2011, http://csis.org/files/publication/ 

1101 28_Lewis_CybersecurityTwoY earsLater_Web.pdf. 

4S See, for example, Greg Nojeim, “WH Cybersecurity Proposal: Questioning the DHS Collection Center,” Center for 
Democracy & Technology, May 24, 2011, http://cdt.org/blogs/greg-nojeim/wh-cybersecurity-proposal-questioning-dhs- 
collection-center; and Adriane Lapointe, Oversight for Cybersecurity Activities (Center for Strategic and International 
Studies, December 7, 2010), http://csis.org/files/publication/101202_Oversight_for_Cybersecurity_Activities.pdf. See 
also comments received by a Department of Commerce task force (available at http://www.nist.gov/itl/ 
cybersecnoi.cfm) in conjunction with development of this report: Internet Policy Task Force, Cybersecurity, 

Innovation, and the Internet Economy (Department of Commerce, June 2011), http://www.nist.gov/itl/upload/ 
Cybersecurity_Green-Paper_FinalVersion.pdf. See also footnote 24. 
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information for purposes other than cybersecurity, such as unrelated government regulatory 
actions, commercial exploitation of personal information, or anticompetitive collusion among 
businesses that would currently violate federal law (see “Antitrust Laws and Section 5 of the 
Federal Trade Commission Act”). 

Seven proposals in Table 1 had provisions for improving information sharing and addressing 
privacy and other concerns: 49 

• Create entities for information sharing. S. 2105 and S. 3414 would have required 
the Secretary of Homeland Security to establish a process for designating federal 
and nonfederal information exchanges, including a lead federal exchange 
responsible for facilitating information sharing among federal and nonfederal 
entities. S. 3414 further specified that federal exchanges be in civilian agencies. 

The Task Force Report recommended establishment of a nongovernmental 
clearinghouse for sharing cybersecurity information among private-sector and 
government entities. The subcommittee version of H.R. 3674 would have created 
such an organization, the National Information Sharing Organization (NISO). 50 
However, those provisions were omitted from the committee version, which 
would instead have provided statutory authorization for and specify governance 
and responsibilities of the DHS National Cybersecurity and Communications 
Integration Center (NCC1C), 51 which was established administratively in 2009. 52 
S. 2151 and S. 3342 would not have authorized any new entities but listed a set 
of existing centers to which their information-sharing provisions would have 
applied. The DHS center that the White House Proposal would have established 
(see “DHS Authorities for Protection of Federal Systems”) would have had 
information sharing as one of its responsibilities. 

• Establish provisions for sharing classified information. The Task Force Report, 

H.R. 624, S. 2105, S. 2151, S. 3342, and S. 3414 would establish procedures to 
permit sharing of classified cybersecurity information with private-sector entities 
that meet specific criteria. 

• Establish authority for information sharing by and with private-sector entities. 

• H.R. 624 would permit cybersecurity providers or self-protected entities to 
share threat information with other designated entities, notwithstanding any 
other provision of law. Federal agencies receiving such information would be 
required to share it with designated entities at DHS, for threat information, 
and the Department of Justice (DOJ) for cybercrime information. Those 



411 H.R. 3674 would address the issue by amending the HSA and H.R. 3523 by amending the National Security Act of 
1947. The other proposals do not couch their provisions as amendments to current law. 

50 House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security 
Technologies, "Hearing on Draft Legislative Proposal on Cybersecurity,” 2011, http://homeland.house.gov/hearing/ 
subcommittee-hearing-hearing-draft-legislative-proposal-cybersecurity. 

51 Department of Homeland Security, "National Cybersecurity and Communications Integration Center”, December 6, 
2011, http://www.dhs.gov/files/programs/nccic.shtm. 

52 Department of Homeland Security Office of Inspector General, “Secretary Napolitano Opens New National 
Cybersecurity and Communications Integration Center,” Press Release, October 30, 2009, http://www.dhs.gov/ynews/ 
releases/pr_1256914923094.shtm. The subcommittee version of H.R. 3476 would also have provided statutory 
authority for NCCIC, but would have given it somewhat different responsibilities. 
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entities could share it with other federal entities for cybersecurity and related 
law-enforcement purposes, and for protection of individuals. 

• S. 2105 would have expressly permitted disclosure of lawfully obtained 
threat indicators among private-sector entities, with the exchanges the bill 
would establish, and by federal entities with other relevant federal or private 
entities, notwithstanding any other provision of law. S. 3414 was similar but 
restricted disclosure by federal entities to cybersecurity and law-enforcement 
purposes. 

• S. 2151 and S. 3342 would have permitted nonfederal entities to share threat 
information with cybersecurity centers or with other nonfederal entities for 
the puipose of addressing threats. S. 2151 would have required providers of 
communications, remote computing, and cybersecurity services under federal 
contracts to share with cybersecurity centers, through the contracting agency, 
any threat information related to the contract. S. 3342 would instead have 
required a coordinated process through which providers would inform federal 
entities of significant incidents with impacts on their missions, with the entity 
reporting the information to a cybersecurity center. S. 2151 would have 
permitted centers to disclose threat information for specified purposes to 
federal entities, service providers, and nonfederal government entities, 
whereas S. 3342 would not have permitted centers to disclose such 
information to service providers. 

• The White House Proposal would have permitted nonfederal entities to 
disclose information to a designated cybersecurity center for purposes of 
protection from cybersecurity threats and would have permitted federal 
agencies to disclose such information to relevant private entities. 

• Limit disclosure of shared information. The Task Force Report, the subcommittee 
version of H.R. 3674, H.R. 624, S. 2105, S. 2151, S. 3342, S. 3414, and the 
White House Proposal would all provide exemptions from the “Freedom of 
Information Act (FOIA)” for cybersecurity information. 53 All would also have 
restricted disclosure in other ways, such as expressly requiring that it be for 
specified cybersecurity purposes, although specific requirements vary. 

• Limit government use of information to specified purposes. The Task Force 
Report, FI.R. 624, H.R. 3674, S. 2151, and S. 3342 would expressly restrict or 
prohibit regulatory use of shared information. S. 2105, S. 3414, and the White 
House Proposal would have limited use of acquired information to cybersecurity 
or law enforcement purposes. In addition to those uses, S. 215 1 and S. 3342 
would have permitted use for national security, 54 and H.R. 624 and S. 3414 added 
protection from physical ham and, for minors, from sexual exploitation and 
threats to physical safety. 

• Limit liability for information sharing. The Task Force Report, H.R. 624, S. 

2105, S. 2151, S. 3342, S. 3414, and the White House Proposal would protect 
nonfederal entities from liability for information shared or other specified actions 

53 The committee version of H.R. 3674 includes a FOIA exemption by reference to the amendments to Title XI of the 

“National Security Act of 1947” that would be made by H.R. 3523. 

34 A similar provision was deleted by amendment from H.R. 624. 
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taken in accordance with the provisions in the legislative proposal. H.R. 624 
would also provide for limited liability for federal violations of restrictions in the 
bill on disclosure, use, and protection of shared information, and S. 3414 for 
violations of title provisions or related regulations. The subcommittee version of 
H.R. 3674 would have permitted actual and punitive civil damages against 
persons who disclose or use for purposes other than cybersecurity the 
information that is disclosed to private entities. 

• Provide privacy and civil liberties protections. All five proposals called for 
privacy protections. The Task Force Report recommended that in providing safe 
harbors for entities involved in information sharing, “the protection of personal 
privacy should be at the forefront” (p. 7). It also recommended that the proposed 
nongovernmental clearinghouse have a privacy board. 

• H.R. 624 would require the Secretary of Homeland Security, jointly with the 
Attorney General, the Director of National Intelligence (DN1), and the 
Secretary of Defense, to create, and agency heads to implement, policies and 
procedures to minimize impacts of sharing on privacy and civil liberties, and 
to limit disclosure of information “associated with specific persons.” It would 
require the DHS Inspector General to submit an annual report to Congress on 
implementation, including metrics on impacts of sharing on privacy and civil 
liberties. It also requires an annual privacy report by the DHS Officer for 
Civil Rights and Civil Liberties. 55 In addition, the bill would have prohibited 
federal use of identifying information from specified sets of library, sales, 
tax, education, or medical records. 

• The subcommittee version of H.R. 3674 would have required that two 
members of the NISO board of directors be representatives from the privacy 
and civil liberties community (the committee version), that the NISO charter 
and procedures include privacy and civil liberties protections, and that 
anonymization procedures, such as removal of personally identifiable 
information, be used for shared information. The committee version would 
have created a similar board for the NCC1C and would have required 
ongoing review by the DHS privacy officer of departmental policies and 
activities. 

• S. 2105 and S. 3414 would have required the director of the DHS center to 
appoint a privacy officer, create guidelines for protection of privacy and civil 
liberties, and ensure that center activities comply with federal requirements. 
The bill would also have required the Secretary of Homeland Security to 
develop policies and procedures to minimize the impacts of information 
sharing involving the exchanges that would be established by the bill. It 
would have required three relevant reports: (1) an annual joint report to 
Congress by the DHS and Department of Justice privacy officers assessing 
impacts; (2) a report from the Privacy and Civil Liberties Oversight Board 56 
assessing impacts and recommending statutory changes; and (3) a joint report 
by the Secretary of Homeland Security, the Director of National Intelligence, 



55 Section 2(c) of the bill. These provisions were added as a floor amendment. The original bill would have given 
primary responsibility for privacy and civil liberties to the DNI. 

56 The board was established by the “Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA).” 
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the Attorney General, and the Secretary of Defense that would have included 
disclosure of significant noncompliance by nonfederal entities with the 
requirements of the information sharing title of the bill, especially with 
respect to privacy and civil liberties, with recommendations for any statutory 
changes (S. 2105) or that identified changes in the information technology 
environment that challenged the adequacy of the law (S. 3414). 

• S. 2151 would have required the heads of agencies with cybersecurity centers 
to jointly develop procedures for sharing information. Those would have 
considered the need for protection of privacy and civil liberties through 
anonymization and other means. S. 3342 would in addition have permitted 
efforts to limit impacts from sharing on privacy and civil liberties. Both bills 
would also have required biennial joint implementation reports from the 
agency heads, including review of how shared information may impact 
privacy and civil liberties, the adequacy of steps to reduce such impact, and 
any recommended changes to authorities. 

• The White House Proposal would have required that “reasonable efforts” be 
taken “to remove information that can be used to identify specific persons 
unrelated to the cybersecurity threat.” 57 It would have added a new Section 
248 to the HSA on privacy and civil liberties relating to cybersecurity. It 
would have required the Secretary of Homeland Security, in consultation 
with privacy and civil liberties experts, to develop and periodically review 
policies and procedures on information access, disclosure, and use. The 
policies and procedures would have been required to minimize impacts on 
privacy and civil liberties, safeguard identities, protect confidentiality as 
much as possible, and provide limits on access, use, and disclosure of 
information. Agency heads would have been required to develop policies for 
handling information associated with specific persons, to establish programs 
to monitor and oversee compliance with DHS and agency policies, and to 
develop and enforce sanctions for violations by agency personnel. The above 
policies and procedures would have been subject to review and approval by 
the Attorney General. Like S. 2105, the White House Proposal would have 
required an annual joint report to Congress by the DHS and Department of 
Justice privacy officers assessing impacts, and a report from the Privacy and 
Civil Liberties Oversight Board assessing impacts and recommending 
statutory changes. 

Other Topics 

Cybercrime Law. S. 2151, S. 3342, the White House Proposal and the Task Force Report would 
each have revised current criminal statutes relating to cybersecurity, including criminalizing the 
damaging of computers associated with critical infrastructure (Cl). 58 



57 Section 245(a)(1) as added to the HSA by the proposal. 

For discussion of federal cybercrime laws, see CRS Report 97-1025, Cybercrime: An Overview of the Federal 
Computer Fraud and Abuse Statute and Related Federal Criminal Laws, by Charles Doyle; and CRS Report R40599, 
Identity Theft: Trends and Issues, by Kristin Finklea. See also the discussions of criminal statutes in this report. 
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Data Breach Notification. The White House Proposal and the Task Force Report would also both 
have set federal requirements for data breach notification — public notification in cases where a 
security breach poses significant risks of exposure of sensitive personal information. For more 
information on this issue, including discussion of bills that would address it, see CRS Report 
R42474, Selected Federal Data Security Breach Legislation, by Kathleen Ann Ruane and CRS 
Report R42475, Data Security Breach Notification Law’s, by Gina Stevens. 

Some proposals addressed additional topics not discussed in this overview. For example, FI.R. 

756 would have require NIST to develop a strategy for federal use of cloud computing. The White 
House Proposal would have restricted the power of state and local governments to require 
business entities to locate data centers within the state or locality. To the extent that such topics 
would have been addressed by amending current statutes, they are discussed below under the 
relevant laws. 



Discussion of Proposed Revisions of Current 
Statutes 

To identify laws that might be considered candidates for revision, CRS conducted a broad search, 
consulting with various experts and examining various sources, including legislative proposals in 
the 1 1 1 th and 1 12 th Congresses. That search yielded more than 50 potentially relevant statutes (see 
Table 2), of which proposed revisions were identified for 3 1 . 59 For each of the latter group, the 
report contains an entry that includes 

• the popular name of the statute; 60 

• the public law number, along with Statutes-at-Large and relevant U.S. Code 
citations; 61 

• a brief description of the relevance of the statute for cybersecurity; 62 and 

• discussion of potential revisions or updates that have been suggested. 6 ’ 



59 There are 27 entries, but the one on antitrust laws consists of four different statutes. Neither of the two lists is 
intended to be definitive or exhaustive. For example, some analysts may argue that more agency authorization statutes 
should be included, or, alternatively, that some of the statutes that are included are not of significant relevance. 

60 This is the name by which the statute is commonly known. 

61 The public law (P.L.) and United States Statutes at Large (Stat.) citations refer to the original law to which the 
popular name currently applies. Laws enacted before 1957 generally do not have public law numbers but chapter 
numbers (Ch.) instead. U.S. Code (U.S.C.) citations refer to the codified law, including any amendments, of those 
provisions deemed most relevant for cybersecurity as discussed in the text under that law (see also footnote 62). For 
more information about citation fonns, see Law Library of Congress, “Federal Statutes,” April 4, 201 1, 
http://www.loc.gov/law/help/statutes.php. More complete cross-references of public laws to corresponding provisions 
of U.S. Code can be found in classification tables (see, for example, U.S. House of Representatives, Office of the Law 
Revision Counsel, “U.S. Code Classification Tables,” 2011, http://uscode.house.gov/classification/tables.shtml). 

62 In some cases, such as the Cybersecurity Research and Development Act, P.L. 107-305, the entire statute is relevant 
to cybersecurity. In others, such as the Omnibus Crime Control and Safe Streets Act of 1968, P.L. 90-351, the statute 
has a broader focus and only the provisions relevant to the text are cited and described. However, given that 
cybersecurity is not a precise concept, there may in some cases be legitimate disagreements among experts about which 
provisions are relevant. Therefore, the descriptions and U.S. Code citations cannot be considered definitive. 

63 The discussion is provided for purposes of information only. CRS does not propose legislation or take positions or 
make recommendations on legislative proposals or issues. Contributing CRS staff include Patricia Moloney Figliola, 
(continued...) 
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Entries are in chronological order. 64 The statutes discussed include only those for which CRS 
identified specific proposals to revise them from various observers and in public sources. 65 It does 
not include proposals for new provisions of federal law that were not identified explicitly as 
revisions of current named statutes. 

One example is the recommendations for statutory language on data-breach notification in the 
White House Proposal and the Task Force Report. Neither those two documents, nor the bills on 
the issue that have been introduced in the 1 12 th Congress, 66 specify named statutes to be revised. 
One of those bills, S. 1151, would revise 18 U.S.C. Chapter 47 (Fraud and False Statements) by 
adding a new section at the end, but that provision does not modify any named statute specified 
either in the bill or in the U.S. Code. It is therefore not included in the discussion below. 

However, the bill would also revise 18 U.S.C. §1030, which was added by the “Counterfeit 
Access Device and Computer Fraud and Abuse Act of 1984,” so that provision is discussed. 

Another example is bills with provisions clearly related to a named statute, but that do not 
explicitly modify that statute. One example from the 111 th Congress is H.R. 5590, which had 
cybersecurity provisions that might be interpreted as modifications to the HSAbut were not cited 
as such. Such provisions are not discussed in this report because their effects on specific statutes 
could not be determined with certainty. 

The approach taken in this report of focusing on statutes by their popular names is useful in many 
cases, but it has some significant limitations, particularly with respect to the U.S. Code. Some 
laws, such as the USA Patriot Act of 2001 (see Table 2), may be classified across many titles and 
sections, 67 which may make analysis more challenging. Fortunately, that did not prove to be a 
significant concern for this report. 

However, lack of correspondence between named laws and proposed modification of provisions 
in the U.S. Code, described above, may in some cases result in significant gaps in coverage of 
relevant provisions of law relating to cybersecurity by an approach such as the one taken here. 
Therefore, the analysis presented here should not be regarded as complete. 



Posse Comitatus Act of 1879 

Ch. 263,20 Stat. 152. 

18 U.S.C. §1385. 68 



(...continued) 

Kristin M. Finklea, Eric A. Fischer, Wendy R. Ginsberg, John Rollins, Kathleen Ann Ruane, Gina Stevens, Rita Tehan, 
and Catherine A. Theohary. Entries for which no contributor is indicated were written by Eric A. Fischer. 

64 The order is by date of enactment of the earliest relevant statute, as assessed by CRS. This organization, rather than 
alternatives such as by topic or U.S. Code title, was chosen because it provides the best view of the evolution of 
legislation in this area. 

65 Sources are cited where they could be specifically identified. 

66 Data-breach notification is also covered by H.R. 1528, H.R. 1707, H.R. 1841, H.R. 2577, S. 1151, S. 1207, S. 1480, 
andS. 1535. 

67 This act was classified to 15 titles. 

6S Prepared by Catherine A. Theohary, Analyst in National Security Policy and Infonnation Operations 
(ctheohary@crs.loc.gov, 7-0844). 
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Major Relevant Provisions 

• Restricts the use of military forces in civilian law enforcement within the United 
States, unless it is within a federal government facility. 69 

• Courts have ruled that violations of the act occur when civilian law enforcement 
makes “direct active use” of military investigators, when use of the military 
pervades the activities of the civilian officials, or when the military is used so as 
to subject citizens to military power that is regulatory, prescriptive, or 
compulsory in nature. 

Possible Updates 

• Some observers claim that the act prevents the military from cooperating on 
cybersecurity with civil agencies that may lack the resident expertise and 
capabilities of the military and DOD. 70 In addition, it may sometimes be difficult 
to distinguish a criminal cyber attack from one involving national defense, 
especially if the attack is on a component of critical infrastructure. 

• Some have therefore proposed that the act be amended to clarify when U.S. 
military can operate domestically regarding cyber threats to such infrastructure, 
most of which is privately owned. Others maintain that no revision is needed 
because the President has the authority under current law to direct the military to 
support civil authorities in the event of a domestic disaster. 

• A memorandum of agreement signed between DHS and DOD may increase the 
likelihood that the military would play a significant role in responding to a major 
cyber attack on U.S. information networks. 71 However, some argue that the 
defense of U.S. information systems should be solely the purview of civilian 
agencies such as DHS and the FBI, because involvement of the military creates 
unacceptable privacy and civil liberties concerns. 



Antitrust Laws and Section 5 of the Federal Trade Commission Act 

Sherman Antitrust Act 

Ch. 647, 26 Stat. 209. 

15U.S.C. §§1-7. 



h 9 For further discussion, see CRS Report RS22266, The Use of Federal Troops for Disaster Assistance: Legal Issues, 
by Jennifer K. Elsea and R. Chuck Mason. 

70 For example, see Jeffrey K. Toomer, “A Strategic View of Homeland Security: Relooking the Posse Comitatus Act 
and DOD’s Role in Homeland Security” (monograph, School of Advanced Military Studies, United States Army 
Command and General Staff College, Fort Leavenworth, Kansas, July 1 1, 2002), http://www.dtic.mil/cgi-bin/ 
GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA403866. 

71 Department of Homeland Security and Department of Defense, “Regarding Cybersecurity.” The MOA provides 
tenns for sharing of personnel, equipment, and facilities by the two agencies to improve planning, capabilities, and 
mission activities in national cybersecurity efforts. 
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Wilson Tariff Act 

Ch. 349, §73, 28 Stat. 570. 
15 U.S.C. §§8-11. 



Clayton Act 

P.L. 63-212, 38 Stat. 730. 

15 U.S.C. §§12-27. 

Section 5 of the Federal Trade Commission Act (FTC Act) 

Ch. 311, §5, 38 Stat. 719. 

15 U.S.C. §45(a). 72 

When referred to in statute, the term “antitrust laws” generally means the three laws listed in 1 5 
U.S.C. § 12(a), which are the first three statutes listed above. Also frequently included in the list 
of antitrust laws is Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices. 
Section 5 is included because courts have found that unfair competition includes, at the least, 
activity that would violate the Sherman or Clayton Acts. 73 

Major Relevant Provisions 

• The antitrust laws as well as Section 5 of the FTC Act are a collection of statutes 
that forbid combinations or agreements that unreasonably restrain trade. 74 
Whenever competitors in a given market share information, antitrust concerns 
may be raised due to the risk of collusion among competitors. 75 

Possible Updates 

Information sharing agreements between private corporations may be subject to antitrust scrutiny, 
because the sharing of information among competitors could create opportunities for 
collaboration with the goal of restraining trade. 76 However, information sharing agreements to 
combat cybersecurity may be in compliance with antitrust principles so long as their goals are to 
combat cyber threats rather than restrain competition. 77 

Some may argue that in order to develop effective and efficient information sharing agreements to 
combat cybersecurity threats, an explicit exemption from the antitrust laws for these agreements 



12 Prepared by Kathleen Ann Ruane, Legislative Attorney (kruane@crs.loc.gov, 7-9135). 

73 See, e.g., United States v. American Airlines Inc., 743 F.2d 1 1 14 (5 th Cir. 1984); FTC v. Motion Picture Advertising 
Serv. Co., 344 U.S. 392, 394-95 (1953); FTC v. Cement Institute, 333 U.S. 683, 694 (1948); Fashion Originators’ 
Guild v. FTC, 312 U.S. 457, 463-64 (1941). 

74 See Standard Oil Co. v. U.S.,221 U.S. 1 (1911). 

75 See Federal Trade Commission and Department of Justice, Antitrust Guidelines for Collaborations among 
Competitors , April 2000, http://www.ftc.gov/os/2000/04/ftcdojguidelines.pdf. 

76 Ibid. 

77 Ibid, (noting that many collaborations among competitors are “not only benign, but procompetitive”). 
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is necessary. Congress has previously proposed such an exemption. For example, H.R. 2435 
(107 th Congress) would have granted an express exemption from the antitrust laws and from 
Section 5 of the FTC Act to persons making and implementing agreements entered into solely for 
the purpose of “facilitating the correction or avoidance of a cyber security-related problem or 
communication of or disclosing information to help correct or avoid the effects of a cyber 
security-related problem.” Such an exemption, if enacted by Congress, would allow market 
participants to engage in information sharing for the puiposes of combating cybersecurity threats 
without concern for implicating the antitrust laws. In the 1 12 th Congress, the Task Force Report 
stated that an antitrust exemption might be required. 78 FI.R. 624 did not specifically mention 
antitrust laws, but would have permitted sharing of cybersecurity information among private- 
sector entities “notwithstanding any other provision of law.” S. 2151 and S. 3342 would have 
expressly exempted from antitrust laws the exchange among private entities of information 
relating to cybersecurity threats. 

Others may argue that the antitrust laws are flexible in nature, particularly as they relate to 
information sharing agreements, and the laws are flexibly applied by the agencies of 
jurisdiction. 79 This flexible nature may obviate the need for express exemptions from the 
application of the laws, while keeping the antitrust agencies involved in and aware of the 
information sharing agreements companies are making. 80 The agencies have expressed a view 
that if competitors are collaborating for reasons that do not restrain trade or hamper competition, 
and safeguards are in place to prevent such restraint, the antitrust laws should not hinder such 
collaboration. 81 The Department of Justice (DOJ) currently allows companies wishing to create 
information sharing arrangements for permissible and procompetitive purposes to submit their 
plans for collaboration to the agency. 82 The agency then reviews the plans and, if the plans are 
approved, issues what is known as a business review letter. 83 The business review letter will 
generally state that DOJ does not intend to enforce the antitrust laws against the proposed 
collaboration. DOJ has issued business review letters to companies who have developed plans to 
share information to combat cybersecurity threats. 84 



National Institute of Standards and Technology Act 

Ch. 872, 31 Stat. 1449. 

15U.S.C. §271 etseq. 

Major Relevant Provisions 

The original act gave the agency responsibilities relating to technical standards. Later 
amendments added more generally relevant provisions and, more specifically, 



78 House Republican Cybersecurity Task Force, Recommendations, p. 1 1 . 

79 See Amitai Aviram, “Network Responses to Network Threats,” in The Law and Economics of Cybersecurity, ed. 
Mark Grady and Francesco Parisi (New York: Cambridge University Press, 2006), 157-158. 

80 See Federal Trade Commission and Department of Justice, Antitrust Guidelines. 

81 Ibid. 

82 28 C.F.R. §50.6. 

83 Federal Trade Commission and Department of Justice, Antitrust Guidelines. 

84 Joel I. Klein, Assistant Attorney General, to Barbara Greenspan, Associate General Counsel, Electric Power Institute, 
Inc., October 2, 2000, http://www.justice.gov/atr/public/busreview/6614.htm. 
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• Identified relevant research topics, among them computer and telecommunication 
systems, including information security and control systems. 85 

• Established a computer standards program at the National Institute of Standards 
and Technology (NIST). 86 

Possible Updates 

Despite NIST’s current authority to conduct research on computers and information security, 
some concerns have been raised about whether those activities should be enhanced in light of the 
evolving threat environment for cybersecurity. In the 1 1 1 th Congress, H.R. 406 1 , which was 
passed by the House, would have required NIST to conduct intramural research on identity 
management and the security of information systems, networks, and industrial control systems. A 
similar bill, H.R. 756, was considered in the 112 th Congress. 



Federal Power Act 

Ch. 285,41 Stat. 1063. 

16 U.S.C. §791a et seq., §824 et seq. 87 

Major Relevant Provisions 

• Established the Federal Energy Regulatory Commission (FERC) and gave it 
regulatory authority over interstate sale and transmission of electric power. 

Possible Updates 

Concerns about the vulnerability of the electric grid to cyber attack have increased substantially 
over the last several years. 88 Although the Energy Policy Act of 2005 (P.L. 109-58) gave FERC 
responsibility for developing reliability standards for power systems, limitations to that authority 
and to the usefulness of the standards-development process to respond effectively to rapidly 
emerging cybersecurity threats have raised concerns about the need for enhancing FERC’s 
authority to address those threats, especially in light of the development of smart-grid 
technology. 89 Several bills were introduced in the 1 1 1 th Congress (H.R. 2165, H.R. 2195, H.R. 
5026, S. 946, S. 1462) in response. H.R. 5026, which was passed by the House, would have 
expanded FERC’s jurisdiction over electric infrastructure and authorized FERC to order actions 
by relevant entities in response to threats to cybersecurity. In the 1 12 th Congress, S. 1342 would 
also have provided expanded cybersecurity authorities to FERC, and H.R. 668 would have given 



" 15 U.S.C. §272, as amended by the Technology Competitiveness Act, Subtitle B of Title V of P.L. 100-418, the 
Omnibus Trade and Competitiveness Act of 1988, which also changed the name of the agency from the National 
Bureau of Standards to the National Institute of Standards and Technology, and changed the name of the act to the 
National Institute of Standards and Technology Act. 

86 15 U.S.C. §§278g-3 and -4, as added by the Computer Security Act of 1987. See also “Federal Information Security 
Management Act of 2002 (FISMA).” 

87 The law was originally enacted in 1920 as the Federal Water Power Act but was renamed the Federal Power Act in 
1935 (49 Stat. 863, 16 U.S.C. §791a). 

88 See, for example, H.Rept. 111-493, S.Rept. 111-331. 

89 CRS Report R41886, The Smart Grid and Cybersecurity — Regulatory Policy and Issues, by Richard J. Campbell. 
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FERC emergency authorities in response to events causing large-scale disruptions of the electric 
grid. 



Communications Act of 1934 

Ch. 652, 48 Stat. 1064. 

47 U.S.C. §151 etseq. 90 

Major Relevant Provisions 

• Established the Federal Communications Commission (FCC) and gave it 
regulatory authority over both domestic and international commercial wired and 
wireless communications. 

• Provides the President with authority in a national emergency to control “any or 
all stations or devices capable of emitting electromagnetic radiations,” and in 
case of war or threat of war, to close “any facility or station for wire 
communication” (Section 706 of the act, 47 U.S.C. §606). 

Possible Updates 

Some observers have proposed that the act should be revised to give the FCC more of a role in 
cybersecurity, especially given the growing merging of information and communications 
technology (1CT) and their increasing importance in the U.S. economy. In fact, a number of other 
countries have more unified governance of 1CT than the United States. 91 

Some controversy exists about whether the Section 706 authorities described above permit the 
President to shut down Internet communications during a war or national emergency, a power that 
has sometimes been referred to as the “Internet kill switch.” 92 Flowever, there does not appear to 
be a consensus about whether in fact such additional authority is needed, or, if it is not, whether 
additional legislation is needed to clarify and delimit it. 

That debate became acute during Senate consideration of S. 773 and S. 3480 in the 1 1 1 th 
Congress. Those bills would have authorized emergency measures by the President if the 
operation of critical infrastructure were threatened by cyber attack. A similar provision was 
proposed in S. 413 in the 1 12 th Congress. 93 This bill also contained a provision that would 
expressly deny the federal government of any authority to “shut down the Internet.” 



90 See also “Communications Decency Act of 1996.” 

91 See, for example, Elgin M. Brunner and Manuel Suter, International CUP Handbook 2008/2009 (Center for Security 
Studies, ETH Zurich, 2008), http://www.css.ethz.ch/publications/CIIP_HB_08. 

92 See also CRS Report R41674, Terrorist Use of the Internet: Information Operations in Cyberspace, by Catherine A. 
Theohary and John Rollins. 

93 S. 413 is largely identical to S. 3480. Both would provide the authority for the emergency measures through a 
revision of the Homeland Security Act, not the Communications Act. In addition, they would assign the authority to 
implement Section 706 to the head of a White House office to be created by the bills. The provision in S. 773 was not 
presented as a revision to a specified law. 
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National Security Act of 1947 

Ch. 343,61 Stat. 495 
50 U.S.C. 401 etseq. 

Major Relevant Provisions 

• Provided the basis for the modem organization of U.S. defense and national 
security by reorganizing military and intelligence functions in the federal 
government. 

• Created the National Security Council, the Central Intelligence Agency, and the 
position of Secretary of Defense. 

• Established procedures for access to classified information. 

Possible Updates 

A broad consensus exists that a significant barrier to improving cybersecurity is limitations on 
sharing of infomiation, including classified infomiation, about cyber-threats and attacks. 94 H.R. 
624 would have addressed that concern by amending the act to facilitate sharing of intelligence 
information relating to cybersecurity, including classified information, between federal 
intelligence entities and private -sector providers of cybersecurity services, and to facilitate the 
identification and sharing of threat infomiation by providers. The bill also included provisions for 
protection from liability for entities sharing infomiation and exemption from disclosure of that 
information under the “Freedom of Infomiation Act (FOIA).” 

See also “Infomiation Sharing.” 



U.S. Information and Educational Exchange Act of 1948 
(Smith-Mundt Act) 

Ch. 36, 62 Stat. 6. 

22 U.S.C. §1431 et seq. 95 

Major Relevant Provisions 

• Restricts the State Department from disseminating public diplomacy infomiation 
domestically and limits its authority to communicate with the American public in 
general (22 U.S.C. §146 1-1 a). 96 The domestic dissemination provision originally 



1)4 For example, the Task Force Report states, “There is widespread agreement that greater sharing of infomiation is 
needed within industries, among industries, and between government and industry in order to improve cybersecurity 
and to prevent and respond to rapidly changing threats. For example, through intelligence collection, the federal 
government has insights and capabilities that many times are classified but would be useful to help defend private 
companies from cybersecurity attacks” (Fiouse Republican Cybersecurity Task Force, Recommendations, p. 10). 

95 Prepared by Catherine A. Theohary, Analyst in National Security Policy and Infonnation Operations 
(ctheohary@crs.loc.gov, 7-0844). 

96 This restriction was added by the Foreign Relations Authorization Act, Fiscal Years 1986 and 1987 (P.L. 99-93, 99 
(continued...) 
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applied to the now defunct U.S. Information Agency (US1A), which was 
abolished and its functions transferred to the Secretary of State by P.L. 105-277 
(22 U.S.C. §6532). 97 

Possible Updates 

Critics maintain that the law is a Cold War relic intended only to restrict the USIA, which no 
longer exists, from propagandizing Americans with public diplomacy and information materials 
that were intended for a foreign audience. Those critics argue that the restrictions were created 
before the advent of the Internet, and the provisions create an obsolete barrier that serves only to 
prevent the State Department from communicating effectively. Some have also argued that the 
law has been interpreted to prohibit the military from conducting information operations in 
cyberspace, as some of those activities could be considered propaganda that could reach U.S. 
citizens, since the United States does not restrict Internet access according to territorial 
boundaries. 

Yearly appropriations bills for both the State Department and Department of Defense include 
restrictions on use of funds for “propaganda” activities, although the word “propaganda” is not 
defined. In the 1 1 1 th Congress, H.R. 5729 would have removed the so-called “firewall” between 
domestic and foreign audiences by explicitly authorizing the Department of State to disseminate 
information through the Internet and information media, stating that the resolution shall “not be 
construed to prohibit the Department from engaging in any medium of information on a 
presumption that a U.S. domestic audience may be exposed to program material.” However, this 
provision would have applied only to the State Department; it would not have included DOD or 
other federal departments or agencies. 



State Department Basic Authorities Act of 1956 

Ch. 841, 70 Stat. 890. 

22 U.S.C. §265 la. 

Major Relevant Provisions 

• Specifies the organization of the Department of State, including the positions of 
coordinator for counterterrorism and for HIV/AIDS response. 

Possible Updates 

As the Internet becomes increasingly international, concerns have been raised about the 
development and coordination of international efforts in cybersecurity by the United States. 9s In 



(...continued) 

Stat. 43 1 ) and was not part of the original act. 

97 For discussion, see CRS Report R40989, U.S. Public Diplomacy: Background and Current Issues, by Kennon H. 
Nakamura and Matthew C. Weed. 

9S See, for example, CSIS Commission on Cybersecurity for the 44 th Presidency, Securing Cyberspace for the 44 th 
Presidency, December 2008, http://www.csis.org/tech/cyber/ ; The White House, Cyberspace Policy Review, May 29, 
2009, http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_fmal.pdf; and The White House, 
(continued...) 
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the 1 1 1 th Congress, S. 3 193 would have addressed those concerns by establishing a coordinator 
for cyberspace and cybersecurity issues within the Department of State. S. 1426 in the 1 12 th 
Congress contained a similar provision. 



Freedom of Information Act (FOIA) 

P.L. 89-487, 80 Stat. 250. 

5 U.S.C. §552." 

Major Relevant Provisions 

• Enables any person to access — without explanation or justification — existing, 
identifiable, unpublished executive -branch agency records, unless the material 
falls within any of FOlA’s nine categories of exemption from disclosure. 

Possible Updates 

Sharing of cybersecurity information between the federal government and nonfederal entities is 
widely considered to be an essential need, especially with respect to the protection of critical 
infrastructure (Cl). However, attempts to encourage the private sector to share sensitive Cl 
information with the federal government have, at times, been met with concerns that such records 
could be subject to public release under FOIA, resulting in potential economic or other harm to 
the source. 

Among the nine exemptions that permit agencies to withhold applicable records are three that 
may particularly apply to cybersecurity information: 

• Exemption 1: information properly classified for national defense or foreign 
policy purposes as secret under criteria established by an executive order. 

• Exemption 3: data specifically exempted from disclosure by a statute other than 
FOIA if that statute meets criteria laid out in FOIA. 100 

• Exemption 4: trade secrets and commercial or financial information obtained 
from a person that is privileged or confidential. 101 



(...continued) 

International Strategy for Cyberspace. 

99 Prepared by Wendy R. Ginsberg, Analyst in Government Organization and Management (wginsberg@crs.loc.gov, 7- 
3933). 

100 The statute must require that the data be withheld from the public in such a manner as to leave no discretion on the 
issue, establish particular criteria for withholding information or refer to particular types of matters to be withheld, or 
specifically cite the exemption if enacted after October 28, 2009, the date of enactment of the OPEN FOIA Act of 
2009, P.L. 1 1 1-83. These exemptions are also called “b(3) exemptions” because they are created pursuant to 5 U.S.C. 
§552(b)(3). 

101 Other exemptions may also sometimes apply to cybersecurity information. For further discussion of FOIA and its 
exemptions, see CRS Report R41933, The Freedom of Information Act (FOIA): Background and Policy Options for the 
113 th Congress, by Wendy Ginsberg, CRS Report R41406, The Freedom of Information Act and Nondisclosure 
Provisions in Other Federal Laws, by Gina Stevens. 
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An example of Exemption 3 is Section 214 of the HSA (see p. 41), which exempts information 
about the security of critical infrastructure and protected systems that is voluntarily submitted to 
an agency covered under the act, provided that the entity that supplies the information expressly 
requests the exemption concurrently. 

Despite these existing protections, some private-sector entities may still have concerns about 
public release of sensitive records — that existing laws may not be specific enough to protect 
particular types of records, or they may be too narrow to protect all records of concern. The White 
House Proposal would have addressed such concerns by applying Exemption 3 to any lawfully 
obtained information provided to DEIS for cybersecurity purposes. 102 The Task Force Report also 
suggested that a FOIA exemption may be needed, 10 ’ and several bills, including EI.R. 624, S. 
2105, S. 2151, S. 3342, and S. 3414 would have provided such a FOIA exemption, although none 
of those proposals would have directly modified the statute. Adding such broad exemptions to 
FOIA, however, could nevertheless prompt concerns about decreases in federal transparency. 

Omnibus Crime Control and Safe Streets Act of 1968 

P.L. 90-351, 82 Stat. 197. 

42 USC Chapter 46, §§3701 to 3797ee-l. 

Major Relevant Provisions 

• Title 1 established federal grant programs and other forms of assistance to state 
and local law enforcement. 

• Title 111 is a comprehensive wiretapping and electronic eavesdropping statute that 
not only outlawed both activities in general terms but that also permitted federal 
and state law enforcement officers to use them under strict limitations. 104 

Possible Updates 

The incidence of cybercrime has increased dramatically over the last decade. 105 State and local 
law enforcement agencies play an important role in combating cybercrime, but concerns have 



102 See “Sec. 245. Voluntary Disclosure of Cybersecurity Information,” in The White House, “Department of 
Homeland Security Cybersecurity Authority and Information Sharing,” May 12, 201 1, p. 8-9, 
http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/dlis-cybersecurity-authority.pdf. 

103 Specifically, it states, “infonnation sharing within existing structures can be improved through limited safe harbors 
when private sector entities voluntarily disclose threat, vulnerability, or incident information to the federal government 
or ask for advice or assistance to help increase protections on their own systems. These protections would need to 
address concerns about antitrust issues, liability, an exemption from the Freedom of Information Act (FOIA), 
protection from public disclosure, protection from regulatory use by government, and whether or not a private entity is 
operating as an agent of the government. However, the protection of personal privacy should be at the forefront of any 
limited legal protection proposal” (House Republican Cybersecurity Task Force, Recommendations, p. 11). 

104 These provisions, along with possible updates, are discussed under “Electronic Communications Privacy Act of 
1986.” 

105 There is no uniform definition of “cybercrime.” Furthermore, no definitive statistics on cybercrime appear to be 
publically available. However, the public/private Internet Crime Complaint Center referred 25 times as many of the 
complaints it received to law enforcement agencies in 2010 (121,710) as in 2001 (4,810) (Internet Crime Complaint 
Center, 2010 Internet Crime Report, 2011, http://www.ic3.gov/media/annualreport/2010_IC3Report.pdf). 
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been raised about their abilities to invest sufficient resources in enforcement activities. In the 
1 1 1 th Congress, H.R. 1292 would have added a program for law enforcement grants to state and 
local criminal justice agencies and relevant nonprofit organizations to combat “white collar 
crime,” including cybercrime. 



Racketeer Influenced and Corrupt Organizations Act (RICO) 

P.L. 91-452, 84 Stat. 941. 

18 U.S.C. Chapter 96, §§1961-1968. 

Major Relevant Provisions 

• Enlarges the civil and criminal consequences of a list of state and federal crimes 
when committed in a way characteristic of the conduct of organized crime 
(racketeering). 106 

Possible Updates 

The Task Force Report recommended that Congress change RICO “to include computer fraud 
within the definition of racketeering.” 107 The White House Proposal would have made felony 
violation of 18 U.S.C. §1030 (see “Counterfeit Access Device and Computer Fraud and Abuse 
Act of 1984”) a racketeering predicate offense. 



Federal Advisory Committee Act (FAC A) 

P.L. 93-579, 86 Stat 770. 

5 U.S.C. App, §§1-16. 



Major Relevant Provisions 

• Specifies the circumstances under which a federal advisory committee can be 
established, and its responsibilities and limitations. 

• Requires that meetings of such committees be open to the public and that records 
be available for public inspection. 108 

Possible Updates 

The act has been criticized as potentially impeding the full development of public/private 
partnerships in cybersecurity, particularly with respect to impeding private-sector 
communications and input on policy. 109 While Section 871 of the HS A provides the Secretary of 

106 For details, CRS Report 96-950, RICO: A Brief Sketch, by Charles Doyle. 

1117 House Republican Cybersecurity Task Force, Recommendations, p. 14. 

108 For more information, see CRS Report R40520, Federal Advisory Committees: An Overview, by Wendy Ginsberg. 

109 Isabelle Abele-Wigert and Myriam Dunn, International CUP Handbook 2006, Vol. I (Center for Security Studies, 
ETH Zurich, 2006), p. 337, http://www.css. ethz.ch/publications/CIIP_HB_06_V°l-Lpdf; Brunner and Suter, 
International CUP Handbook 2008/2009, p. 456. 
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Homeland Security with the power to establish advisory committees that are exempt from the 
requirements of the act, it is possible that additional exemption authority would be helpful. Any 
such potential benefits might, however, need to be weighed against the impact of such authority 
on the public’s ability to participate in and access the records of affected advisory committees. 

The subcommittee version of H.R. 3674 would have exempted the organization created by the bill 
from requirements of the act. 



Privacy Act of 1974 

P.L. 93-579, 88 Stat. 1896. 

5 U.S.C. §552a. 

Major Relevant Provisions 

• Limits the disclosure of personally identifiable information (P1I) held by federal 
agencies. 

• Requires agencies to provide access to persons with agency records containing 
information on them. 

• Established a code of fair information practices for collection, management, and 
dissemination of records by agencies, including requirements for security and 
confidentiality of records. 

Possible Updates 

Some observers argue that the act should be revised to clarify, in the context of cybersecurity, 
what is considered PI1 and how it can be used, such as by explicitly permitting the sharing among 
federal agencies — or with appropriate third parties such as owners and operators of critical 
infrastructure — of certain information, such as a computer’s Internet (IP) address, in 
examinations of threats, vulnerabilities, and attacks. The act contains some exemptions, such as 
for law enforcement activities (5 U.S.C. §552a(b)(7)) and duties of the Comptroller General (5 
U.S.C. §552a(b)(10)), but none relating specifically to cybersecurity. However, other observers 
may argue that the provisions in the act are sufficient to permit necessary cybersecurity activities, 
and that revising the act to provide additional authorities relating to cybersecurity could 
compromise the protections provided by the act. 110 In the 112 th Congress, H.R. 1732 would have 
revised the act to take changes in information technology into account, but does not specifically 
address information relating to cybersecurity. 



Counterfeit Access Device and Computer Fraud and Abuse Act of 
1984 

P.L. 98-473, 98 Stat. 2190. 

18 U.S.C. §1030. 



1 10 For information on how they have been interpreted by the courts, see Department of Justice, “Overview of the 
Privacy Act of 1974, 2010 Edition,” March 2, 2010, http://www.justice.gov/opcl/1974privacyact-overview.htm. 
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Major Relevant Provisions 

As amended, 111 

• Provides criminal penalties, including asset forfeiture, for unauthorized access 
and wrongful use of computers and networks of the federal government or 
financial institutions, or in interstate or foreign commerce or communication; 

• Specifies wrongful use as obtaining protected information, damaging or 
threatening to damage a computer, using the computer to commit fraud, 
trafficking in stolen computer passwords, and espionage; 

• Criminalized electronic trespassing on and exceeding authorized access to federal 
government computers; and 

• Created a statutory exemption for intelligence and law enforcement activities. 112 

Possible Update 

The White House Proposal would add penalties for damaging certain critical infrastructure 
computers, increase penalties for most violations of the act, clarify certain offenses, and modify 
the act’s conspiracy and forfeiture provisions. In the 112 th Congress, S. 2111, S. 2151, and S. 
3342 had similar provisions. S. 890, S. 2151, S. 3342, and the White House Proposal would have 
enlarged the scope of the password trafficking offense by removing the requirement that the 
computer affect interstate commerce or be used by the United States. S. 1151 would also have 
made several changes similar to but not as extensive as those in the Administration proposal. 113 
The Task Force Report recommended that the act be broadened to cover critical infrastructure 
systems, and possibly all private-sector computers, with increased criminal penalties. It also 
recommended that provisions should be focused narrowly enough to avoid creating unintended 
liability for legitimate activities. 114 



Electronic Communications Privacy Act of 1986 (ECPA) 

P.L. 99-508, 100 Stat. 1848. 

18 U.S.C. §§2510-2522, 18 U.S.C. §§2701-2712, 18 U.S.C. §§3 121-3 126. 115 



111 The Computer Fraud and Abuse Act of 1986 (P.L. 99-474, 100 Stat. 1213) expanded the scope of the original act. 
For government computers, it criminalized electronic trespassing, exceeding authorized access, and destroying 
information. It also criminalized trafficking in stolen computer passwords and created a statutory exemption for 
intelligence and law enforcement activities. 

1 12 For more information, see CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and 
Abuse Statute and Related Federal Criminal Laws, by Charles Doyle. 

113 See CRS Report R41941, The Obama Administration ’s Cybersecurity Proposal: Criminal Provisions, by Gina 
Stevens. 

1 14 House Republican Cybersecurity Task Force, Recommendations, p. 14. 

115 Prepared by Gina Stevens, Legislative Attorney (gstevens@crs.loc.gov, 7-2581). 
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Major Relevant Provisions 

• Attempts to strike a balance between the fundamental privacy rights of citizens 
and the legitimate needs of law enforcement with respect to data shared or stored 
in various types of electronic and telecommunications services. 116 Since the act 
was passed the Internet and associated technologies have expanded 
exponentially. 117 The act consists of three parts: 

• A revised Title 111 of the “Omnibus Crime Control and Safe Streets Act of 
1968” (also known as “Title 111” or the “Wiretap Act”) 118 prohibits the 
interception of wire, oral, or electronic communications unless an exception 
to the general rule applies. Unless otherwise provided, prohibits wiretapping 
and electronic eavesdropping; possession of wiretapping or electronic 
eavesdropping equipment; use or disclosure of information obtained through 
illegal wiretapping or electronic eavesdropping; and disclosure of 
information secured through court-ordered wiretapping or electronic 
eavesdropping, in order to obstruct justice. 119 

• The Stored Communications Act (SCA) 120 prohibits unlawful access to stored 
communications . 1 2 1 

• The Pen Register and Trap and Trace statute governing the installation and 
use of trap and trace devices and pen registers, 122 proscribing unlawful use of 
a pen register or a trap and trace device. 123 

• Establishes rules that law enforcement must follow before they can access data 
stored by service providers. Depending on the type of customer information 
involved and the type of service being provided, the authorization law 
enforcement must obtain in order to require disclosure by a third party will range 
from a simple subpoena to a search warrant based on probable cause. 



116 100 Stat. 1848; see also House Committee on the Judiciary, “Electronic Communications Privacy Act of 1986,” 
H.Rept. 99-647, 99 th Cong. 2d Sess. 2, at 19 (1986). 

117 House Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, ECPA 
Reform and the Revolution in Cloud Computing, 2010, http://judiciary.house.gov/hearings/hear_100923.html 
(statement of Edward W. Felton, Professor Princeton University): 

In 1986, when ECPA was passed, the Internet consisted of a few thousand computers. The network 
was run by the U.S. government for research and education purposes, and commercial activity was 
forbidden. There were no web pages, because the web had not been invented. Google would not be 
founded for another decade. Twitter would not be founded for another two decades. Mark 
Zuckerberg, who would grow up to start Facebook, was two years old. In talking about advances in 
computing, people often focus on the equipment. Certainly the advances in computing equipment 
since 1986 have been spectacular. Compared to the high-end supercomputers of 1986, today’s 
mobile phones have more memory, more computing horsepower, and a better network connection 
not to mention a vastly lower price. 

U.S.C. §2510-2522. 

U.S.C. §2511. 

U.S.C. §§2701-2712. 

U.S.C. §2701. 

U.S.C. §§3121-3126. A trap and trace device identifies the source of incoming calls, and a pen register indicates 
the numbers called from a particular phone. 

123 18 U.S.C. §3121. 
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Possible Updates 

ECPA reform efforts focus on crafting a legal structure that is up-to-date, can be effectively 
applied to modem technology, and that protects users’ reasonable expectations of privacy. ECPA 
is viewed by many stakeholders as unwieldy, complex, and difficult forjudges to apply. 124 Cloud 
computing 125 poses particular challenges to the ECPA framework. For example, when law 
enforcement officials seek data or files stored in the cloud, such as web-based e-mail applications 
or online word processing services, the privacy standard that is applied is often lower than the 
standard that applies when law enforcement officials seek the same data stored on an individual’s 
personal or business hard drive. 126 

An ECPA reform advocacy coalition has advanced the following principles: 

• A governmental entity may require an entity covered by ECPA (a provider of 
wire or electronic communication service or a provider of remote computing 
service) to disclose communications that are not readily accessible to the public, 
but only with a search warrant issued based on a showing of probable cause, 
regardless of the age of the communications, the means or status of their storage 
or the provider’s access to or use of the communications in its normal business 
operations. 

• A governmental entity may access, or may require a covered entity to provide, 
prospectively or retrospectively, location information regarding a mobile 
communications device, but only with a warrant issued based on a showing of 
probable cause. 

• A governmental entity may access, or may require a covered entity to provide, 
prospectively or in real time, dialed number information, e-mail to and from 
information or other data currently covered by the authority for pen registers and 
trap and trace devices, but only after judicial review and a court finding that the 
governmental entity has made a showing at least as strong as the showing under 
2703(d). 

• Where the Stored Communications Act authorizes a subpoena to acquire 
information, a governmental entity may use such subpoenas only for information 
related to a specified account(s) or individual(s). All nonparticularized requests 
must be subject to judicial approval. 127 



124 J. Beckwith Burr, “The Electronic Communications Privacy Act of 1986: Principles for Reform,” March 30, 2010, 
http://www.digitaldueprocess.org/files/DDP_Burr_Memo.pdf. 

125 “Cloud computing is an emerging form of computing that relies on Internet-based services and resources to provide 
computing services to customers, while freeing them from the burden and costs of maintaining the underlying 
infrastructure. Examples of cloud computing include web-based e-mail applications and common business applications 
that are accessed online through a browser, instead of through a local computer” (Government Accountability Office, 
Information Security: Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing, 
GAO-10-513, May 2010, http://www.gao.gov/new.items/dl0513.pdf). 

126 House Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, ECPA 
Reform and the Revolution in Cloud Computing (statement of Michael Hintze, Associate General Counsel, Microsoft 
Corp.). 



127 Digital Due Process Coalition, “Our Principles”, 2010, http://www.digitaldueprocess.org/index.cfm7objectkfr 
99629E 40-255 1 - 1 1 DF-8E02000C296BA1 63 . 
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The Task Force Report recommended changes to laws governing the protection of electronic 
communications to facilitate sharing of appropriate cybersecurity information, including the 
development of an anonymous reporting mechanism. 12s 



Department of Defense Appropriations Act, 1987 

P.L. 99-591, 100 Stat. 3341-82, 3341-122. 

10U.S.C. §167. 129 

Major Relevant Provisions 

• Provides specific authority to the U.S. Special Operations Command 
(USSOCOM) for the conduct of direct action, strategic reconnaissance, 
unconventional warfare, foreign internal defense, civil affairs, and psychological 
operations; also counterterrorism, humanitarian assistance, theater search and 
rescue, and such other activities as may be specified by the President or the 
Secretary of Defense. 

Possible Update 

In addition to the authority provided under this act, Title 10 of the U.S. Code provides inherent 
and specific authority to DOD to undertake the following activities: 

• Section 113 provides that, subject to the direction of the President, the Secretary 
of Defense has authority, direction, and control over DOD; 

• Section 164 provides specific authority for combatant commanders for the 
performance of missions assigned by the President or by the Secretary with the 
approval of the President. 

Specific authorities for combatant commanders are provided in Title 1 0 to use force in self- 
defense and for mission accomplishment — including in the recently recognized information 
operations environment. In preparing for contingencies or military operations, DOD undertakes 
activities to lessen risks to U.S. interests, including discrete actions to prepare for and respond to 
a cyberwarfare -related incident. 130 

Some military activities are conducted clandestinely to conceal the nature of the operation and 
passively collect intelligence. Activities focused on influencing the governing of a foreign 
country are deemed covert actions 131 and may not be conducted by members of the military 
absent a presidential finding and notification of the congressional intelligence committees. 132 



128 House Republican Cybersecurity Task Force, Recommendations, p. 14. For more information on ECPA, see CRS 
Report 98-326, Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, by 
Gina Stevens and Charles Doyle. 

129 Prepared by John Rollins, Specialist in Terrorism and National Security (jrollins@crs.loc.gov, 7-5529). 

130 CRS Report RL3 1787, Information Operations, Cyber-warfare, and Cybersecurity: Capabilities and Related Policy 
Issues, by Catherine A. Theohary. 

131 50 U.S.C. §4 1 3b(e) defines a covert action as “an activity or activities of the United States Government to influence 
political, economic, or military conditions abroad, where it is intended that the role of the United States Government 
(continued...) 
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Some analysts suggest that in the cyber domain distinguishing between whether an action is or 
should be considered covert or clandestine is problematic, as an attacking adversary’s intent and 
location are often difficult to discern. Should this act be updated, reassessing DOD’s authorities in 
light of its unique intelligence capabilities may assist in responding to and conducting offensive 
cyber attacks. 



High Performance Computing Act of 1991 

P.L. 102-194, 105 Stat. 1594. 

15U.S.C. Chapter 81. 133 

Major Relevant Provisions 

• Establishes a federal high-performance computing program and requires that it 
address security needs. 

• Requires that the program provide for interagency coordination and that an 
annual report on implementation be submitted to Congress. 

• Requires NIST to establish security and privacy standards in high-performance 
computing for federal systems. 

Possible Updates 

This act established the Networking and Information Technology Research and Development 
(NITRD) Program, which produces the required annual report. However, concerns have been 
raised that the program does not yield sufficient strategic planning and does not sufficiently stress 
cybersecurity research and development (R&D). In the 1 1 1 th Congress, H.R. 2020, which passed 
the House, would have addressed that concern by requiring a five-year strategic plan with three- 
year reviewing cycle. It would also have added a research goal of increasing understanding “of 
the scientific principles of cyber-physical systems” and improving methods for designing, 
developing, and operating such systems with high reliability, safety, and security. H.R. 967 in the 
1 12 th Congress was similar but added provisions on cloud computing. S. 773 in the 1 11 th 
Congress would have required NIST to develop cybersecurity standards and metrics for computer 
networks and user interfaces, as would S. 2105 and S. 3414 in the 1 12 th Congress. S. 2151 and S. 
3342 would have established cybersecurity, including security of supply chains, as one of the 
goals for research under the act and contained a requirement similar to that of H.R. 967 for cyber- 
physical systems. H.R. 967, S. 2151, and S. 3342 would also have made a number of other 
amendments not directly related to cybersecurity. 



(...continued) 

will not be apparent or acknowledged publicly, but does not include . . . activities the primary purpose of which is to 
acquire intelligence . . . [or] traditional military activities or routine support to such activities.” 

132 For an explanation and analysis of issues relating to covert and clandestine activities see CRS Report RL33715, 
Covert Action: Legislative Background and Possible Policy Questions, by Marshall Curtis Erwin. 

133 Parts of the chapter have also been given other popular names: the Next Generation Internet Research Act of 1998 
(P.L. 105-305), and the Department of Energy High-End Computing Revitalization Act of 2004. 
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Communications Assistance for Law Enforcement Act of 1994 
(CALEA) 

P.L. 103-414, 108 Stat. 4279. 

47 U.S.C. §1001 et seq. 134 

Major Relevant Provisions 

• Requires telecommunications carriers to assist law enforcement in performing 
electronic surveillance on their digital networks pursuant to court orders or other 
lawful authorization. 

• Directs the telecommunications industry to design, develop, and deploy solutions 
that meet requirements for carriers to support authorized electronic surveillance, 
including unobtrusive isolation of communications and call-identifying 
information for a target and provision of that information to law enforcement, in 
a manner that does not compromise the privacy and security of other 
communications. 

Possible Updates 

Some government and industry observers believe that CALEA should be revised to improve its 
effectiveness in addressing cybersecurity concerns. Among the concerns expressed are whether 
the act is the best mechanism for collecting information transmitted via the Internet, whether 
reassessment is needed of which private -sector entities the act covers and which government 
entities should be involved in enforcement and oversight, and what the role of industry should be 
in the development of the technologies and standards used to implement the provisions of the act. 
The Task Force Report recommended changes to laws governing the protection of electronic 
communications to facilitate sharing of appropriate cybersecurity information, including the 
development of an anonymous reporting mechanism. 135 



Communications Decency Act of 1996 

RL. 104-104 (Title V), 110 Stat. 133. 

47 U.S.C. §§223, 230. 136 

Major Relevant Provisions 

• Intended to regulate indecency and obscenity on telecommunications systems, 
including the Internet. Although much of the law is targeted at lewd or 
pornographic material, particularly when shown to children under the age of 18, 



134 Prepared by Patricia Moloney Figliola, Specialist in Internet and Telecommunications Policy 
(pfigliola@crs.loc.gov, 7-2508). 

135 House Republican Cybersecurity Task Force, Recommendations, p. 14. 

136 Prepared by Catherine A. Theohary, Analyst in National Security Policy and Information Operations 
(ctheohary@crs.loc.gov, 7-0844). These provisions are codified to Chapter 5 of Title 47, the “Communications Act of 
1934.” Codification of the various provisions of this act is complex. See 47 U.S.C. §609 nt. for details. 
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the obscenity and harassment provisions could also be interpreted as applying to 
graphic, violent terrorist propaganda or incendiary language. 

• Section 230(c)(1) asserts that “no provider or user of an interactive computer 
service shall be treated as the publisher or speaker of any information.” This has 
been interpreted to absolve Internet service providers and certain web-based 
services of responsibility for third-party content residing on those networks or 
websites. 137 

Possible Updates 

Some argue that certain Internet content, such as terrorist chat rooms or propaganda websites, 
presents a national security or operational threat that is not represented within the 
Communications Decency Act. Further, should such material be deemed as “indecent,” the law 
does not give federal agencies the authority to require that the Internet service providers hosting 
the content to take it offline. 

These critics maintain that the law should be revised to compel ISPs and web administrators to 
dismantle sites containing information that could be used to incite harm against the United States. 
A possible revision could be similar to the “take down and put back” provision in the Digital 
Millennium Copyright Act, 112 Stat. 2860, P.L. 105-304 which amended title 17 of the U.S. Code 
to hold a service liable for publishing material that is defamatory or infringes upon a third party 
copyright. 

Others maintain that such a revision is counter to the spirit of free, open exchange of information 
that is characterized by the Internet and may be a First Amendment violation. Some have also 
expressed concerns that the intelligence value gained by preserving and monitoring the sites 
outweighs the potential threat risk. 



Clinger-Cohen Act (Information Technology Management Reform 
Act) of 1996 

P.L. 104-106 (Divisions D and E), 110 Stat. 642. 

40 U.S.C. §11101 etseq. 138 



Major Relevant Provisions 

• Gave agency heads authority to acquire IT and required them to ensure the 
adequacy of agency information security policies. 

• Established the position of agency Chief Information Officer (CIO), responsible 
for assisting agency heads in IT acquisition and management. 



137 See CRS Report R41499, The Communications Decency Act: Section 230(c)(1) and Online Intermediary Liability, 
by Kathleen Ann Ruane and Julia Tamulis. 

138 Prepared by Wendy R. Ginsberg, Analyst in Government Organization and Management (wginsberg@crs.loc.gov, 
7-3933), and Eric A. Fischer. The two divisions, originally known as the Federal Acquisition Reform Act and the 
Infonnation Technology Management Reform Act, were renamed as the Clinger-Cohen Act by P.F. 104-208 and 
reclassified into 40 U.S.C, Subtitle III by P.F. 107-217 (see 40 U.S.C. §101 nt). 
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• Requires the Office of Management and Budget (OMB) to oversee major 
information technology (IT) acquisitions. 

• Requires OMB to promulgate, in consultation with the Secretary of Homeland 
Security, compulsory federal computer standards based on those developed by 
the National Institute of Standards and Technology (NIST). 139 

• Exempts national security systems from most provisions. 

Possible Update 

With the increasing globalization of the IT hardware and software industries, concerns have been 
growing among cybersecurity experts about potential vulnerabilities at various points along the 
supply chain for IT products. H.R. 1136, introduced in the 1 12 th Congress, would have addressed 
such concerns with respect to federal acquisition of IT products and services by requiring vendors 
to meet security requirements to be developed by OMB, and also requiring vulnerability 
assessments by agencies. 

S. 413 (similar to S. 3480 in the 111 th Congress), S. 2105, S. 2151, S. 3342, S. 3414, and the 
White House Proposal would have returned the authority for promulgating standards for federal 
systems to the Secretary of Commerce. 140 H.R. 1163, in contrast, would not have amended that 
provision. 

Congress and the executive branch have debated the limits of the authority and jurisdiction of 
CIOs since their establishment. In the private sector, CIOs may often serve as the senior IT 
decision maker. In federal agencies, in contrast, CIOs do not have budgetary control or authority 
over IT resources. 141 As part of a plan to reform federal IT management, 142 the Obama 
Administration has indicated its intention to change the role of CIOs “away from just 
policymaking and infrastructure maintenance, to encompass true portfolio management for all 
IT,” including information security. 143 The White House Proposal does not include any provisions 
related to that proposed change, but additional legislative authority may be required for such a 
change to be fully implemented. 

The Obama Administration also appointed a federal chief information officer and a federal chief 
technology officer (CTO), positions first created in the George W. Bush Administration, where 



139 The Clinger-Cohen Act originally gave this promulgation authority to the Secretary of Commerce, while providing 
the President authority to disapprove or modify such standards, and gave the Secretary authority to waive the standards 
in specific cases to avoid adverse financial or mission-related impacts. The “Federal Information Security Management 
Act of 2002 (FISMA),” enacted as part of the Homeland Security Act, transferred that authority to OMB. 

140 See the discussion of FISMA, p. 44. 

141 They do have authority under FISMA to ensure compliance with that law’s information security requirements (44 
U.S.C. §3544). Some agency CIOs also have statutory authority in addition to that provided by Clinger-Cohen and 
FISMA. For example, the CIO of the intelligence community has procurement approval authority for IT (50 U.S.C. 
§403-3g), and CIOs within DOD have budgetary review authority (10 U.S.C. §2223). 

142 Vivek Kundra, 25-Point Implementation Plan to Reform Federal Information Technology Management (The White 
House, December 9, 2010), http://www.cio.gov/documents/25-Point-Implementation-Plan-to-Refonn- 

F ederal%20IT.pdf. 

143 Jacob J. Lew, “Chief Information Officer Authorities,” Memorandum for the Heads of Executive Departments and 
Agencies, M-l 1-29, August 8, 201 1, pp. 1-2, http://www.whitehouse.gov/sites/default/files/omb/memoranda/201 1/ 
ml l-29.pdf. 
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the OMB deputy director of management also served as federal CIO. In the 1 1 1 th Congress, H.R. 
1910 and H.R. 5136, and H.R. 1 136 in the 112 th Congress, contained provisions to establish a 
statutory basis for the CTO position, not, however, explicitly as amendments to the Clinger- 
Cohen Act. 144 Some proposals in previous Congresses would also have established the federal 
CIO position in law. 145 



Identity Theft and Assumption Deterrence Act of 1998 

RL. 105-318, 112 Stat. 3007. 

18U.S.C. §1028. 146 

Major Relevant Provisions 

• Made identity theft a federal crime. 

• Provided penalties for individuals who either committed or attempted to commit 
identity theft. 

• Provided for forfeiture of property used or intended to be used in the fraud. 

• Directed the Federal Trade Commission (FTC) to record complaints of identity 
theft, provide victims with informational materials, and refer complaints to the 
appropriate consumer reporting and law enforcement agencies. 147 

Possible Updates 

See “Identity Theft Penalty Enhancement Act” below. 



Homeland Security Act of 2002 (HSA) 

P.L. 107-296 (Titles II and III), 116 Stat. 2135. 

6 U.S.C. §§121-195c, 441-444, and 481-486. 148 



Major Relevant Provisions 

• Transferred some functions relating to the protection of information 

infrastructure from other agencies to the Department of Homeland Security 
(DHS). 149 



144 See CRS Report R40150M Federal Chief Technology Officer in the Obama Administration: Options and Issues for 
Consideration, by John F. Sargent Jr. 

145 See, for example, CRS Report RL30914, Federal Chief Information Officer (CIO): Opportunities and Challenges, 
by Jeffrey W. Seifert. 

146 Prepared by Kristin M. Finklea, Coordinator, Analyst in Domestic Security (kfmklea@crs.loc.gov, 7-6259). See 18 
U.S.C. §1001 nt. for classification details. 

147 The FTC now records consumer complaint data and reports it in the Identity Theft Data Clearinghouse (Federal 
Trade Commission, “Reference Desk,” Fighting Back Against Identity Theft, December 22, 2010, http://www.ftc.gov/ 
bcp/edu/microsites/idtheft/reference-desk/index.html); identity theft complaint data are available for 2000 and forward. 

148 For classification details, see 6 U.S.C. §101 nt. 
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• Requires DHS to provide state and local governments and private entities with 
threat and vulnerability information, crisis-management support, and technical 
assistance relating to recovery plans for critical information systems. 

• Permits the Secretary of Homeland Security to designate qualified technologies 
as subject to certain protections from liability in claims relating to their use in 
response to an act of terrorism. 150 

• Established mechanisms to facilitate information sharing among federal agencies 
and appropriate nonfederal government and critical-infrastructure personnel. 151 

• Authorized DHS to establish a system of volunteer experts (“Net Guard”) to 
assist local communities in responding to attacks on information and 
communications systems. 

• Strengthened some criminal penalties relating to cybercrime. 

• Created the Directorate of Science and Technology within DHS and assigned it 
broad R&D responsibilities, although responsibilities relating to cybersecurity 
R&D were not specifically described. 

Possible Updates 

Various concerns have been raised about the ways in which the act addressed cybersecurity, and a 
number of proposals have been made since its enactment to enhance the cybersecurity provisions. 
In the 1 1 1 th Congress, the most comprehensive legislative proposal was in S. 3480, which was 
reported out of the Senate Committee on Homeland Security and Governmental Affairs in the 
1 1 1 th Congress, and reintroduced in the 1 12 th Congress as S. 413 with minor modifications. It 
would have added provisions on cybersecurity that would have 

• established a center for cybersecurity and communications within DHS; 

• required coordination with the DHS Office of Infrastructure Protection and 
sector-specific agencies; 

• established the United States Computer Emergency Readiness Team (US-CERT) 
within the center; 

• stipulated information-sharing procedures for federal agencies and other entities; 

• established a program within the center to provide assistance to the private 
sector; 



(...continued) 

149 In particular, the act transferred to DHS the Federal Computer Incident Response Center, which had resided in the 
General Services Administration (GSA). In 2006, P.L. 109-295, The Department of Homeland Security Appropriations 
Act, 2007, established the position of Assistant Secretary for Cybersecurity and Communications (6 U.S.C. §321) 
within DHS but did not specify duties or responsibilities. 

150 This set of provisions (Subtitle G of Title VIII, 6 U.S.C. §441-444) is called the SAFETY Act. 

151 This set of provisions (Subtitle I of Title VIII, 6 U.S.C. §481-486) is called the Homeland Security Information 
Sharing Act. Section 486 was added by P.L. 109-90 and provides some liability protections relating to actions 
involving information sharing and analysis centers. 
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• required the center to identify cyber vulnerabilities to critical infrastructure and 
establish requirements to address them; 

• established procedures for response to imminent cyber threats to critical 
infrastructure, 152 enforcement of requirements, and protection of information; and 

• required a risk-management strategy for security of the supply chain. 

It would have established a cybersecurity R&D program in DHS and required coordination of 
those activities with other agencies and private entities. It would also have established a 
public/private-sector cybersecurity advisory council. 

The White House Proposal would also have substantially enhanced DHS authority relating to 
cybersecurity. The proposal differed in several ways from the approach taken by S. 413. Among 
other differences, it would have provided enhanced authority to the DHS Secretary that S. 413 
provided directly to a new center within the department. However, the White House Proposal 
would have required the Secretary to establish a center with cybersecurity responsibilities for 
federal and critical infrastructure systems. I5j It also did not codify the establishment of US-CERT, 
unlike S. 413, and did not provide the President with the authority to implement emergency 
actions in response to an imminent risk to critical infrastructure. It did, however, provide the DHS 
Secretary with authority to direct responses of federal agencies to cybersecurity threats or 
incidents. 

S. 2105 and S. 3414 contained elements of both the White House Proposal and S. 413. They 
would have established a new center, with new authorities, but omitted the provision in S. 413 
establishing US-CERT by law, as well as the provision on presidential emergency powers. S. 

2105 and S. 3414 would have required the Science and Technology Directorate of DHS to 
establish a cybersecurity R&D plan. S. 1546 would also have required departmental cybersecurity 
research. 

H.R. 3674, as reported to the House, would have provided additional responsibilities and 
authorities to DHS for the protection of federal information systems. It would have provided for 
information sharing with federal and nonfederal entities, cybersecurity research and development 
(R&D), and recruitment and retention of cybersecurity personnel. To facilitate information 
sharing and technical assistance, it would have created a center within DHS that would have 
included a private-sector board of advisors. Unlike the bill as introduced, it did not include a 
nongovernmental clearinghouse for sharing cybersecurity information between the private sector 
and the federal government that was recommended by the Task Force Report. H.R. 3674 would 
also have required DHS to perform cybersecurity R&D, to include testing, evaluation, and 
technology transfer. 

Some other bills in the 1 1 1 th Congress would also have revised the act. H.R. 6423, reintroduced as 
H.R. 174 in the 1 12 th Congress, would establish a new office to develop, oversee, and enforce 
cybersecurity compliance for critical infrastructure sectors. H.R. 266, reintroduced as H.R. 76, 
would add a cybersecurity fellowship program for nonfederal officials to familiarize them with 



152 See also “Communications Act of 1934” above. 

153 This center would presumably replace the federal incident center currently required under 44 U.S.C. 3546. The 
revision of the Federal Information Security Management Act of 2002 (FISMA) in the White House Proposal does not 
include the latter center. 
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DHS cybersecurity activities. H.R. 4507 and H.R. 4842 would have added a cybersecurity 
training initiative for first responders and others. H.R. 2868 and S. 3599 would have added 
chemical-facility security measures, including cybersecurity, to the act. 

See also “Information Sharing.” 



Federal Information Security Management Act of 2002 (FISMA) 

P.L. 107-296 (Title X), 116 Stat. 2259. 

P.L. 107-347 (Title 111), 116 Stat. 2946. 

44 U.S.C. Chapter 35, Subchapters 11 and III, [40 U.S.C. 11331, 15 U.S.C. 278g-3 & 4]. 154 

Major Relevant Provisions 

FISMA created a security framework for federal information systems, with an emphasis on risk 
management, and gave specific responsibilities to the Office of Management and Budget (OMB), 
the National Institute of Standards and Technology (NIST), and the heads, chief information 
officers (CIOs), chief information security officers (CISOs), and inspector generals (IGs) of 
federal agencies. 155 

• Required executive agencies to inventory major computer systems, identify and 
provide appropriate security protections, and develop, document, and implement 
agency-wide information security programs. 

• Gave OMB responsibility for overseeing federal information-security policy and 
evaluating agency information-security programs, but exempted national security 
systems, except with respect to enforcement of accountability for meeting 
requirements and reporting to Congress. 

• Revised the responsibilities of the Secretary of Commerce and NIST for 
information-system standards and transferred responsibility for promulgation of 
those standards from the Secretary of Commerce to OMB. 156 



154 FISMA was originally enacted as part of the Homeland Security Act of 2002, replacing provisions enacted by the 
Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001 (P.L. 106-398, Title X, Subtitle G), enacted 
in 2000 but with a 2002 sunset. FISMA was reenacted in the same Congress by the E-government Act. Subchapter II is 
not in effect. The title 40 provision was originally enacted as part of the Clinger-Cohen Act (see p. 39), and the title 15 
provisions are part of the NIST Act (see p. 24). See footnote 156 for more detail. 

155 For a more detailed description, see, for example. Government Accountability Office, Information Security: 
Weabiesses Continue Amid New Federal Efforts to Implement Requirements, GAO- 12- 137, October 2011, 
http://www.gao .gov/new. items/ d 1 2 1 3 7 .pdf. 

156 The standards-promulgation authority had been granted to the Secretary of Commerce under the Clinger-Cohen Act 
of 1996 (P.L. 104-106) but was transferred to the Director of OMB by the FISMA title in the HSA in 2002 (P.L. 107- 
296, Section 1002, 40 U.S.C. 11331). The version currently in effect (44 U.S.C. Chapter 35, Subchapter III) was 
enacted by the FISMA title in the E-Government Act of 2002 (P.L. 107-347, Title III), which suspended Subchapter II, 
which had been revised by the HSA. That is not the case for 40 U.S.C. 1 1 33 1 , for which the P.L. 107-347 version 
would have retained the authority of the Secretary of Commerce to promulgate those standards as established in the 
Clinger-Cohen Act of 1996 (see p. 39), even though the E-Government Act was enacted after the HSA. Similarly, the 
revision to the NIST Act at 15 U.S.C. 278g-3 & 4 is that made by the HSA. The reason for this potentially confusing 
difference appears to be that (1) the effective date of HSA was later than that of the E-Government Act, and (2) HSA 
amended the existing subchapter II of 44 U.S.C. Chapter 35; the E-Government Act explicitly suspended that 
subchapter. In contrast, the revisions both laws made to the Paperwork Reduction Act, adding a subsection (c) to 44 
(continued...) 
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• Required that NIST cybersecurity standards be complementary with those 
developed for national security systems, to the extent feasible. 

• Required heads of federal agencies to provide security protections commensurate 
with risk and to comply with applicable security standards. Specifically required 
agencies using national security systems to provide security protections 
commensurate with risk and in compliance with standards for such systems. 

• Required senior agency officials to perform risk assessments, to determine and 
implement necessary security controls in a cost-effective manner, and to evaluate 
those controls periodically. 

• Designated specific information-security responsibilities for agencies’ chief 
information security officers, including agency-wide information-security 
programs, policies, and procedures, and training of security and other personnel. 

• Required designation of an information-security officer in each agency, security 
awareness training, processes for remedial action to address deficiencies, and 
procedures for handling security incidents and ensuring continuity of operations. 

• Required annual agency reports to Congress, performance plans, and independent 
evaluations of information security. 

• Established a central federal incident center, overseen by OMB, to analyze 
incidents and provide technical assistance relating to them, to inform agency 
operators about current and potential threats and vulnerabilities, and to consult 
with NIST, NSA, and other appropriate agencies about incidents. 

• Gave responsibility for protection of mission-crucial systems in DOD and the 
CIA to the Secretary of Defense and the DCI, respectively, and required the 
Secretary of Defense to include compliance with the provisions above in 
developing program strategies for the Defense Information Assurance Program 
(10U.S.C. §2224). 

Possible Updates 

A commonly expressed concern about FISMA is that it is awkward and inefficient in providing 
adequate cybersecurity to government IT systems. The causes cited have varied but common 
themes have included inadequate resources, a focus on procedure and reporting rather than 
operational security, lack of widely accepted cybersecurity metrics, variations in agency 
interpretation of the mandates in the act, excessive focus on individual information systems as 
opposed to the agency’s overall information architecture, and insufficient means to enforce 
compliance both within and across agencies. 157 Several legislative proposals in the 1 1 1 th and 1 12 th 



(...continued) 

U.S.C. §3505 (requiring inventories of federal information systems) were codified. However, in a signing statement for 
the E-Government Act, President George W. Bush stated that the Administration would interpret the act as permanently 
superseding HSA “in those instances where both Acts prescribe different amendments to the same provisions of the 
United States Code” (President George W. Bush, “About E-Gov: Presidential Statement,” December 17, 2002, 
http://georgewbush-whitehouse.archives.gov/omb/egov/g-3-statement.html). Such ambiguities in interpretation would 
presumably be resolved if FISMA is revised. 

157 See, for example, S.Rept. 1 11-368, and House Subcommittee on Government Management, Organization, and 
Procurement, The State of Federal Information Security, Committee on Oversight and Government Reform 
(continued...) 
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Congresses included major revisions to the act. The proposals varied in detail, with several 
notable provisions in some: 

• Creation of a White House office with responsibility for cybersecurity; 

• Transfer of responsibilities from OMB to the Secretary of Homeland Security or 
the Secretary of Commerce; 

• Revisions to agency responsibilities under the act, including continuous 
monitoring, use of metrics, and emphasis on risk-based rather than minimum 
security measures; 

• Changes in reporting requirements; 

• Specification of cybersecurity requirements for acquisitions and the IT supply 
chain; and 

• Establishment of mechanisms for interagency collaboration on cybersecurity. 

In the 1 1 1 th Congress, H.R. 5136 passed in the House, 15s and S. 3480 was reported out of the 
Senate Homeland Security and Governmental Affairs Committee. 

In the 1 12 th Congress, the Task Force Report recommended an increased focus on monitoring, 
support for DHS authority, and taking new and emerging technologies, such as cloud computing, 
into account. 159 H.R. 1136 would have made many changes similar to those in H.R. 5 136 in the 
1 1 1 th Congress, transferring responsibility to a new White House Office for Cyberspace created 
by the bill. H.R. 1163, in contrast, retained the current role of the OMB Director. H.R. 1163 
passed the House under suspension of the rules in April 2012. 

S. 413 would have made changes similar to those in S. 3480 in the previous Congress, 
transferring responsibility for federal information security policy from the Director of OMB to 
the Director of a new DHS center that the bill would establish. The White House Proposal was 
broadly similar to congressional proposals in many details. However, it would not have created a 
White House cybersecurity office and would have transferred responsibilities to the DHS 
Secretary rather than to a new cybersecurity center within DHS. S. 2105 and S. 3414 included a 
similar approach. S. 2151 and S. 3342, in contrast, would have transferred responsibilities from 
OMB to the Secretary of Commerce. 

S. 1535 would have required that agency information security programs assess the practices of 
contractors and third parties with respect to sensitive personally identifiable information as 
defined in the bill and ensure that any deficiencies are remediated. 



(...continued) 

(Washington, DC: U.S. Government Printing Office, 2009), http://www.gpo.gov/fdsys/pkg/CHRG-l 1 lhhrg57125/pdf/ 
CHRG-1 1 lhhrg57125.pdf. OMB has recently attempted to address some of the operational issues administratively by 
delegating some responsibilities to DHS (Orszag and Schmidt, “Clarifying Cybersecurity Responsibilities and 
Activities of the Executive Office of the President and the Department of Homeland Security (DHS)”). Weaknesses in 
FISMA implementation have been cited repeatedly by GAO in reports required by the act (see, for example, 
Government Accountability Office, Information Security: Weaknesses Continue Amid New Federal Efforts to 
Implement Requirements). 

158 The bill included provisions from H.R. 4900, which was ordered reported by the House Oversight and Government 
Reform Committee. 

159 House Republican Cybersecurity Task Force, Recommendations, p. 13. 
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See also “F1SMA Reform.” 



Terrorism Risk Insurance Act of 2002 

P.L. 107-297, 116 Stat. 2322. 

15 U.S.C. §6701 nt. 160 

Major Relevant Provisions 

• Provides federal cost-sharing subsidies for insured losses resulting from acts of 
terrorism. 

Possible Updates 

The act is intended to provide incentives for the development of insurance coverage for losses 
from acts of terrorism. Losses from cyber attacks are not specifically included, and some 
observers have raised concerns about whether some modification of the act would be 
appropriate. 161 



Cyber Security Research and Development Act, 2002 

P.L. 107-305, 116 Stat. 2367, 

15 U.S.C. [§§278g,h], §7401 etseq. 162 

Major Relevant Provisions 

• Requires the National Science Foundation (NSF) to award grants for basic 
research to enhance computer security and for improving undergraduate and 
master’s degree programs, doctoral research, and faculty development programs 
in computer and network security; and to establish multidisciplinary centers for 
research on computer and network security. 

• Requires NIST to establish programs to award postdoctoral and senior research 
fellowships in cybersecurity and to assist institutions of higher learning that 
partner with for-profit entities to perform cybersecurity research; to perform 
intramural specified cybersecurity research; and to develop a checklist of security 
settings for federal computer hardware and software for voluntary use by federal 
agencies. 



160 The original act was amended by P.L. 109-144, the Terrorism Risk Extension Act of 1995, and P.L. 1 10-160, the 
Terrorism Risk Insurance Program Reauthorization Act of 2007. For classification details, see 15 U.S.C. 6701 nt. 

161 See, for example, Karen C. Yotis, “TRIA and the Perils of Terrorism Insurance,” Viewpoint, Summer 2007, 
http://www.aaisonline.com/viewpoint/07sum6.html. 

162 15 U.S.C. §§278g,h are part of the NIST Act (see p. 24). 
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Possible Updates 

A commonly expressed concern about federal research and development (R&D) relating to 
cybersecurity has been that it is insufficiently coordinated and prioritized, and focuses too little 
on understanding of fundamental principles and using them to develop transformational 
technologies. The George W. Bush Administration attempted to address the latter gap through the 
“leap-ahead” technology component of the Comprehensive Cybersecurity Initiative. 163 The 
Obama Administration’s policy review 164 also called for expanded, transformational research. 

Concerns have also been raised about the need to improve the process by which NIST creates 
checklists and other guidance and technical standards for federal IT systems. 165 

H.R. 4061 in the 1 1 1 th Congress would have addressed those concerns by revising the act. A 
similar bill in the 1 12 th Congress, H.R. 756, would, as amended, have expanded NSF R&D 
programs in cybersecurity, and required NIST to develop automated security specifications for its 
cybersecurity standards, checklists, and associated data. S. 2105, S. 2151, S. 3342, and S. 3414 
would also have expanded cybersecurity topics addressed by NSF. 



E-Government Act of 2002 

RL. 107-347, 116 Stat. 2899. 

5 U.S.C. Chapter 37, 44 U.S.C. 3501 nt., 44 U.S.C. Chapter 35, Subchapter 2, and Chapter 36. 

Major Relevant Provisions 

Serves as the primary legislative vehicle to guide federal IT management and initiatives to make 

information and services available online. Significant provisions include the following: 

• Established the Office of Electronic Government within OMB, to be headed by 
an administrator with a range of IT management responsibilities, including 
cybersecurity. 

• Established the interagency CIO (Chief Information Officer) Council and 
specified working with the National Institute of Standards and Technology 
(NIST) on security standards as one of its functions. 

• Assigned agency CIOs responsibility for monitoring implementation of federal 
cybersecurity standards in their agencies. 

• Contains various other requirements for security and protection of confidential 
information, including electronic authentication and privacy guidelines. 



163 See, for example, NITRD, “About the NITRD Program: National Cyber Leap Year”, July 22, 2009, 
http://www.nitrd.gov/leapyear/index.aspx. 

164 The White House, Cyberspace Policy Review. 

165 See, for example, H.Rept. 1 1 1-405, CSIS Commission on Cybersecurity for the 44 th Presidency, A Human Capital 
Crisis in Cybersecurity, July 2010, http://csis.org/files/publication/ 
100720_Lewis_HumanCapital_WEB_BlkWhteVersion.pdf. 
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• Established a five-year personnel exchange program between federal agencies 
and private sector organizations to help agencies fill IT management training 
needs. 

• Also included the “Federal Information Security Management Act of 2002 
(F1SMA).” 

Possible Update 

The White House Proposal would have renewed the personnel exchange program, which 
terminated at the end of 2007, and remove the current restriction in eligibility to management 
personnel. While this program would be applicable to any subdiscipline of IT, a widely held 
belief at present is that gaps in cybersecurity expertise are of particular concern. S. 1732 would 
have revised the privacy provisions to account for the increased commercial availability of 
personally identifiable information, which the bill defined broadly. 166 It would also have required 
agencies to designate chief privacy officers and created a council of them, and broadened OMB’s 
privacy responsibilities. 



Identity Theft Penalty Enhancement Act 

P.L. 108-275, 118 Stat. 831. 

18U.S.C. §§1028, 1028A. 167 

Major Relevant Provisions 

• Established penalties for aggravated identity theft, in which a convicted 

perpetrator could receive additional penalties (two to five years’ imprisonment) 
for identity theft committed in relation to other federal crimes. 16s 

Possible Updates 

While the number of reported incidents of identity theft fell in 20 1 0, identity theft has generally 
been the fastest growing type of fraud in the United States over the past decade. 169 FTC complaint 
data indicate that the most common fraud complaint received (19% of all consumer fraud 
complaints in 2010) has remained that of identity theft. 170 In 2010, for instance, about 8. 1 million 
Americans were reportedly victims of identity theft. This is a decrease of about 28% from the 



166 It would include “any information about an individual maintained by an agency.” 

167 Prepared by Kristin M. Finklea, Analyst in Domestic Security (kfmklea@crs.loc.gov, 7-6259). For classification 
details, see 18 U.S.C. §1028 nt. 

168 Examples of such federal crimes include theft of public property, theft by a bank officer or employee, theft from 
employee benefit plans, false statements regarding Social Security and Medicare benefits, several fraud and 
immigration offenses, and specified felony violations pertaining to terrorist acts. 

169 For more infonnation on identity theft, see CRS Report R40599, Identity Theft: Trends and Issues, by Kristin 
Finklea. 

170 Federal Trade Commission, Consumer Sentinel Network Data Book for January— December, 2010, March 2010, 
http ://www. ftc.gov/ sentinel/ reports/ sentinel-annual-reports/ sentinel-cy20 1 0 .pdf. 
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approximately 11.1 million who were victimized in 2009. 171 Javelin Strategy and Research 
estimates that identity theft cost consumers about $37 billion in 2010. 

The most recent congressional action taken to enhance the identity theft laws was through the 
Identity Theft Enforcement and Restitution Act of 2008 (Title 11 of RL. 110-326). Among other 
elements, several of which were recommended by a presidential task force in 2007, 172 the act 
authorized restitution to identity theft victims for their time spent recovering from the harm 
caused by the actual or intended identity theft. Legislation has not yet, however, adopted 
recommendations of the task force to 

• amend the identity theft and aggravated identity theft statutes so that thieves who 
misappropriate the identities of corporations and organizations — and not just the 
identities of individuals — can be prosecuted, 172 and 

• amend the aggravated identity theft statute by adding new crimes as predicate 
offenses 174 for aggravated identity theft violations. 175 

The task force recommended that Congress clarify the identity theft and aggravated identity theft 
statutes to cover both individuals and organizations targeted by identity thieves because the range 
of potential victims includes not only individuals but organizations as well. The task force cites 
“phishing” as a means by which identity thieves assume the identity of a corporation or 
organization in order to solicit personally identifiable information from individuals. 176 

In part because identity theft is a facilitating crime, and the criminal act of stealing someone’s 
identity often does not end there, investigating and prosecuting identity theft often involves 
investigating and prosecuting a number of related crimes. In light of this interconnectivity, the 
task force recommended expanding the list of predicate offenses for aggravated identity theft. The 
task force specifically suggested adding identity theft-related crimes such as mail theft, 177 
counterfeit securities, and tax fraud. 

The Task Force Report also recommended requiring restitution for victims of identity theft and 
computer fraud. 160 At present, the statute authorizes restitution but does not require it. 



171 Javelin Strategy & Research, 2011 Identity Fraud Survey Report: Consumer Version, February 201 1, p. 5 (available 
at https://www.javelinstrategy.com/brochure/207). 

172 The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, April 2007, 
http://www.identitytheft.gov/reports/StrategicPlan.pdf. 

173 This would involve revision of 18 U.S.C. §§1028 and 1028A. 

174 A predicate offense can be described as a crime that is a component of a more serious offense. For example, in the 
case of money laundering, the crime that produces the funds that are to be laundered is the predicate offense. 

175 This would involve revision of 18 U.S.C. §1028A. 

176 The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, pp. 91 - 92. 

177 18 U.S.C. §1708. 

178 18 U.S.C. §513. 

179 26 U.S.C. §7201, 7206-7207. 

18(1 House Republican Cybersecurity Task Force, Recommendations, p. 14. 
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Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) 

P.L. 108-458, 118 Stat. 3638. 

42 U.S.C. §2000ee, 50 U.S.C. §403-1 et seq., §403-3 et seq., §404o et. seq. 181 

Major Relevant Provisions 

• Established the position of the Director of National Intelligence. 

• Establishes mission responsibilities for some entities in the intelligence, 
homeland security, and national security communities. 

• Discusses issues related to the collection, analysis, and sharing of security-related 
information. 

• Establishes a Privacy and Civil Liberties Board within the Executive Office of 
the President. 

Possible Updates 

The act does not contain a single reference to cyber, cybersecurity, or related activities. Its stated 
purpose is to “reform the intelligence community and the intelligence and intelligence-related 
activities of the United States Government, and for other purposes.” The act contains findings and 
recommendations offered in the 9/11 Commission Report 182 and other assessments that address 
national and homeland security shortcomings associated with the terrorist attacks of September 
11,2001. 

Numerous organizations, programs, and activities in the act currently address cybersecurity- 
related issues. 1RPTA addresses many types of risks to the nation and threats emanating from 
man-made and naturally occurring events. The broad themes of the act could be categorized as 
how the federal government identifies, assesses, defeats, responds to, and recovers from current 
and emerging threats. The act might be updated to incoiporate cybersecurity-related issues. 
Elowever, any such update could affect numerous organizations and activities. 183 



m Prepared by John Rollins, Specialist in Terrorism and National Security (jrollins@crs.loc.gov, 7-5529). 
Classification of this act is complex. For details, see 50 U.S.C. §401 nt. 

1S2 National Commission on Terrorist Attacks upon the United States, The 9/11 Commission Report, July 22, 2004, 
http://www.9-l lcoimnission.gov/report/91 lReport.pdf. 

1 83 F or more information on threats, responses, and issues associated with cyberterrorism, see CRS Report R4 1 674, 
Terrorist Use of the Internet: Information Operations in Cyberspace, by Catherine A. Theohary and John Rollins. 
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Table 2. Laws Identified as Having Relevant Cybersecurity Provisions 



CRS 

Year Popular Name Law Stat. U.S.C. Applicability and Notes Reports 



6/18/1878 



7/2/1890 
and later 



3/3/1901 



8/1 3/1 912 



Posse Comitatus Act 


Ch. 


20 Stat. 


18 U.S.C. 


Restricts the use of military RS20590 


(P-21) 


263 


152 


§1385 


forces in civilian law 
enforcement within the United 










States. May prevent assistance 
to civil agencies that lack DOD 
expertise and capabilities. 


Antitrust Laws: 
(p. 22) 










Sherman Antitrust 


Ch. 


26 Stat. 


15 U.S.C. 


“Antitrust laws” generally 


Act, 


647 


209 


§§l-7 


means the three laws listed in 


Wilson Tariff Act 


Ch. 


28 Stat. 


15 U.S.C. 


15 U.S.C. § 12(a) and §5 of the 




349, 


570 


§§8- 1 1 


FTC Act, which forbid 


Clayton Act 


§73 






combinations or agreements 


§5 of the Federal 


P.L. 


38 Stat. 


15 U.S.C. 


that unreasonably restrain 


Trade Commission 


63- 


730 


§§12-27 


trade. May create barriers to 


(FTC) Act 


212 


38 Stat. 


15 U.S.C. 


sharing of information or 




Ch, 


719 


§45 (a) 


collaboration to enhance 




31 1, 






cybersecurity among private 




§5 






sector entities. 


National Institute of 


Ch. 


3 1 Stat. 


15 U.S.C. 


The original act gave the 


Standards and 


872 


1449 


§27 1 et seq. 


agency responsibilities relating 


Technology (NIST) Act 








to technical standards. Later 


(P-24) 








amendments established a 










computer standards program 
and specified research topics, 
among them computer and 
telecommunication systems, 
including information security 
and control systems. 


Radio Act of 1912 


Ch. 


37 Stat. 




Established a radio licensing 




287 


302 




regime and regulated private 
radio communications, creating 
a precedent for wireless 
regulation. 

Repealed by the Radio Act of 
1927. 



6/10/1 920 Federal Power Act Ch. 

(p. 25) 285 

seq., §824 (FERC) and gave it regulatory 
et seq. authority over interstate sale 

and transmission of electric 
power. The move toward a 
national smart grid is raising 
concerns about vulnerability to 
cyber attack. 



41 Stat. 16 U.S.C. Established the Federal Energy R4I886 

1063 §79laet Regulatory Commission 
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CRS 

Year Popular Name Law Stat. U.S.C. Applicability and Notes Reports 



2/23/1927 Radio Act of 1927 Ch. 

169 



6/19/1934 Communications Act Ch. 

of 1 934 (p.26 ) 652 



7/26/1947 National Security Act Ch. 

of 1947 (p. 27) 343 



1/27/1948 US Information and Ch. 

Educational Exchange 36 
Act of 1 948 
(Smith-Mundt Act) 

(p. 27) 



44 Stat. Created the Federal Radio 

I 162 Commission as an independent 

agency (predecessor of the 
FCC) and outlawed 
interception and divulging 
private radio messages. 
Repealed by the 
Communications Act of 1934 
(see p. 26). 



48 Stat. 47 U.S.C. Established the Federal RL32589 

1064 §151 et seq. Communications Commission RL34693 

(FCC) and gave it regulatory 
authority over both domestic 
and international commercial 
wired and wireless 
communications. Provides the 
President with emergency 
powers over communications 
stations and devices. Governs 
protection by cable operators 
of information about 
subscribers. 



6 1 Stat. 50 U.S.C. Provided the basis for the 

495 §401 et seq. modern organization of U.S. 

defense and national security 
by reorganizing military and 
intelligence functions in the 
federal government. Created 
the National Security Council, 
the Central Intelligence 
Agency, and the position of 
Secretary of Defense. 
Established procedures for 
access to classified information. 



62 Stat. 22 U.S.C. Restricts the State Department R4 1 674 

6 §1431 et from disseminating public 

seq. diplomacy information 

domestically and limits its 
authority to communicate with 
the American public in general. 

Has been interpreted by some 
to prohibit the military from 
conducting cyberspace 
information operations, some 
of which could be considered 
propaganda that could reach 
U.S. citizens, since the 
government does not restrict 
Internet access according to 
territorial boundaries. 
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CRS 


Year 


Popular Name 


Law 


Stat. 


u.s.c. 


Applicability and Notes 


Reports 


9/8/1950 


Defense Production 


Ch. 


64 Stat. 


50 U.S.C. 


Codifies a robust legal 


RS20587 




Act of 1950 


932 


798 


App. §206 1 


authority given the President 


RL3I 133 










et seq. 


to force industry to give 
priority to national security 
production and ensure the 
survival of security-critical 
domestic production capacities. 
It is also the statutory 
underpinning of governmental 
review of foreign investment in 
U.S. companies. 




8/1/1956 


State Department 


P.L. 


70 Stat. 


22 U.S.C. 


Specifies the organization of 


R40989 




Basic Authorities Act 


84- 


890 


§265 la 


the Department of State, 






of 1956 (p. 28) 


885 






including the positions of 
coordinator for 














counterterrorism. As the 
Internet becomes increasingly 
international, concerns have 
been raised about the 














development and coordination 
of international efforts in 














cybersecurity by the United 
States. 




10/30/1965 


Brooks Automatic 


P.L. 


79 Stat. 




Gave GSA authority over 






Data Processing Act 


89- 


1 127 




acquisition of automatic data 








306 






processing equipment by 
federal agencies, and gave NIST 
responsibilities for developing 
standards and guidelines 
relating to automatic data 
processing and federal 
computer systems. 

Repealed by the Clinger-Cohen 
Act of 1996 (see p. 39). 




7/4/1966 


Freedom of 


P.L. 


80 Stat. 


5 U.S.C. 


Enables anyone to access 


R4I406 




Information Act 


89- 


250 


§552 


agency records except those 


R4I933 




(FOIA) (p. 29) 


487 






falling into nine categories of 
exemption, among them 
classified documents, those 
exempted by specific statutes, 
and trade secrets or other 














confidential commercial or 
financial information. 




6/19/1968 


Omnibus Crime 


P.L. 


82 Stat. 


42 U.S.C. 


Title 1 established federal grant 






Control and Safe 


90- 


197 


Chapter 46, 


programs and other forms of 






Streets Act of 1 968 


351 




§§3701 to 


assistance to state and local law 






(p. 30) 






3797ee-l 


enforcement. 














Title III is a comprehensive 
wiretapping and electronic 
eavesdropping statute that not 
only outlawed both activities in 
general terms but that also 
permitted federal and state law 
enforcement officers to use 
them under strict limitations. 
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CRS 


Year 


Popular Name 


Law 


Stat. 


u.s.c. 


Applicability and Notes 


Reports 


10/15/1970 


Racketeer Influenced 


P.L. 


84 Stat. 


18 U.S.C. 


Enlarges the civil and criminal 


96-950 




and Corrupt 


91- 


941 


Chapter 96, 


consequences of a list of state 






Organizations Act 


452 




§§1961- 


and federal crimes when 






(RICO) (p. 31) 






1968 


committed in a way 
characteristic of the conduct of 
organized crime (racketeering). 




10/6/1972 


Federal Advisory 


P.L. 


86 Stat 


5 U.S.C. 


Specifies conditions for 


R40520 




Committee Act (p. 


92- 


770 


App., §§l- 


establishing a federal advisory 






31 ) 


463 




16 


committee and its 














responsibilities and limitations. 
Requires open, public meetings 
and that records be available 
for public inspection. Has been 
criticized as potentially 
impeding the development of 
public/private partnerships in 
cybersecurity, particularly 
private-sector communications 
and input on policy. 




1 1/7/1973 


War Powers 


P.L. 


87 Stat. 


50 U.S.C. 


Establishes procedures to 


R4I 199 




Resolution 


93- 


555 


Chapter 33, 


circumscribe presidential 


R4I989 






148 




§§1541- 


authority to use armed forces 












1548. 


in potential or actual hostilities 
without congressional 
authorization. 




12/31/1974 


Privacy Act of 1974 


P.L. 


88 Stat. 


5 U.S.C. 


Limits the disclosure of 






(p. 32) 


93- 


1896 


§552a 


personally identifiable 








579 






information (Pll) held by 
federal agencies. Established a 
code of fair information 
practices for collection, 
management, and dissemination 
of records by agencies, 
including requirements for 
security and confidentiality of 
records. 




10/25/1978 


Foreign Intelligence 


P.L. 


92 Stat. 


18 U.S.C. 


In foreign intelligence 


98-326 




Surveillance Act of 


95- 


1783 


§§2511, 


investigations, provides a 


R40 1 38 




1978 (FISA) 


SI 1 




2518-9, 


statutory framework for 












50 U.S.C. 


federal agencies to obtain 












Chapter 36, 


authorization to conduct 












§§1801- 


electronic surveillance, utilize 












1885c 


pen registers and trap and 
trace devices, or access 
specified records. 




10/13/1980 


Privacy Protection 


P.L. 


94 Stat. 


42 U.S.C. 


Protects journalists from being 






Act of 1980 


96- 


1879 


Chapter 


required to turn over to law 








440 




21 A, 


enforcement any work product 












§§2000aa-5 


and documentary materials, 












to 2000aa- 


including sources, before 












12 


dissemination to the public. 





Congressional Research Service 



55 




Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions 















CRS 


Year 


Popular Name 


Law 


Stat. 


u.s.c. 


Applicability and Notes 


Reports 


10/12/1984 


Counterfeit Access 


P.L. 


98 Stat. 


18 U.S.C. 


Provided criminal penalties for 


97-1025 




Device and Computer 


98- 


2190 


§1030 


unauthorized access and use of 






Fraud and Abuse Act 


473 






computers and networks. Part 






of 1984 (p. 32) 








of the Comprehensive Crime 
Control Act of 1 984. 




10/16/1986 


Computer Fraud 


P.L. 


100 


18 U.S.C. 


Expanded the scope of the 






and Abuse Act of 


99- 


Stat. 


§1030 


Counterfeit Access Device and 






1986 


474 


1213 




Computer Fraud and Abuse 
Act of 1984. For government 
computers, criminalized 
electronic trespassing, 
exceeding authorized access, 
and destroying information; 
also criminalized trafficking in 
stolen computer passwords. 
Created a statutory exemption 
for intelligence and law 
enforcement activities. 




10/21/1986 


Electronic 


P.L. 


100 


18 U.S.C. 


Attempts to strike a balance 


R4I733 




Communications 


99- 


Stat. 


§§25 IQ- 


between privacy rights and the 


R4I756 




Privacy Act of 1 986 


508 


1848 


2522, 2701- 


needs of law enforcement with 


RL34693 




(ECPA) (p. 33) 






2712, 3121- 


respect to data shared or 












3126 


stored by electronic and 
telecommunications services. 
Unless otherwise provided, 
prohibits the interception of or 
access to stored oral or 














electronic communications, use 
or disclosure of information so 
obtained, or possession of 
electronic eavesdropping 
equipment. 




10/30/1986 


Department of 


P.L. 


100 


10 U.S.C. 


Established unified combatant 






Defense 


99- 


Stat. 


§167 


command for special 






Appropriations Act, 


591 


3341- 




operations forces, including the 






1987 (p. 36) 




82, 




U.S. Strategic Command, under 










3341- 




which the U.S. Cyber 










122 




Command was organized. 




1/8/1988 


Computer Security 


P.L. 


101 


15 U.S.C. 


Required NIST to develop and 






Act of 1987 


1 GO- 


Stat. 


§§272, 


the Secretary of Commerce to 








235 


1724 


278g-3, 


promulgate security standards 












278g-4, 


and guidelines for federal 












278h 


computer systems except 
national security systems. Also 
required agency planning and 
training in computer security 
(this provision was superseded 
by FISMA— see p. 44). 




10/18/1988 


Computer Matching 


P.L. 


102 


5 U.S.C. 


Amended the Privacy Act (see 






and Privacy 


100- 


Stat. 


§552a 


p. 32), establishing procedural 






Protection Act of 


503 


2507 




safeguards for use of computer 






1988 








matching on records covered 
by the act. 





Congressional Research Service 



56 




Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions 



Year 


Popular Name 


Law 


Stat. 


12/9/ 1991 


High Performance 


P.L. 


105 




Computing Act of 


102- 


Stat. 




1991 (p. 36) 


194 


1594 



1 0/25/ 1 994 Communications 


P.L. 


108 


Assistance for Law 


103- 


Stat. 


Enforcement Act 


414 


4279 



(CALEA) of 1994 (p. 
38) 



5/25/1995 


Paperwork 


P.L. 


109 




Reduction Act of 


104- 


Stat. 




1995 


13 


163 



2/8/1996 Telecommunications P.L. I 10 
Act of 1996 104- Stat. 

104 



2/8/1996 


Communications 


P.L. 


1 10 




Decency Act of 1 996 


104- 


Stat. 




(p. 38) 


104 

(Title 

V) 


133 



U.S.C. Applicability and Notes 



15 U.S.C. 


Established a federal high- 


Chapter 8 1 


performance computing 
program and requires that it 
address security needs and 
provide for interagency 
coordination. 


47 U.S.C. 


Requires telecommunications 


§1001 et 


carriers to assist law 


seq. 


enforcement in performing 
electronic surveillance and 
directs the telecommunications 
industry to design, develop, and 
deploy solutions that meet 
requirements for carriers to 
support authorized electronic 
surveillance. 


44 U.S.C. 


Gave the Office of 


Chapter 35, 


Management and Budget 


§§3501- 


(OMB) authority to develop 


3549 


information-resource 
management polices and 
standards, required 
consultation with NIST and 
GSA on information 
technology (IT), and required 
agencies to implement 
processes relating to 
information security and 
privacy. 


See 47 


Overhauled 


U.S.C. §609 


telecommunications law, 


nt. for 


including significant 


affected 


deregulation of U.S. 


provisions. 


telecommunications markets, 
eliminating regulatory barriers 
to competition. 


See 47 


Intended to regulate indecency 


U.S.C. 


and obscenity on 


§§223, 230 


telecommunications systems, 
including the Internet. Has 
been interpreted to absolve 
Internet service providers and 
certain web-based services of 
responsibility for third-party 
content residing on those 
networks or websites. 



CRS 

Reports 

RL33586 



RL30677 



R4I499 
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CRS 


Year 


Popular Name 


Law 


Stat. 


u.s.c. 


Applicability and Notes 


Reports 


2/10/1996 


Clinger-Cohen Act 


P.L. 


1 10 


40 U.S.C. 


Required agencies to ensure 






(Information 


104- 


Stat. 


§1 1001 et 


adequacy of information- 






Technology 


106, 


642 


seq. 


security policies, OMB to 






Management Reform 


(Div. 






oversee major IT acquisitions, 






Act) of 1996) (p. 39) 


D and 






and the Secretary of 








E) 






Commerce to promulgate 
compulsory federal computer 
standards based on those 
developed by NIST. Exempted 
national security systems from 
most provisions. 




8/21/1996 


Health Insurance 


P.L. 


1 10 


42 U.S.C. 


Required the Secretary of 


RL34I20 




Portability and 


104- 


Stat. 


§l320d et 


Health and Human Services to 






Accountability Act 


191 


1936 


seq. 


establish security standards and 






of 1996 (HIPAA) 








regulations for protecting the 
privacy of individually 
identifiable health information, 
and required covered health- 
care entities to protect the 
security of such information. 




10/1 1/1996 


Economic Espionage 


P.L. 


1 10 


18 U.S.C. 


Outlaws theft of trade secret 






Act of 1996 


104- 


Stat. 


§1030, 


information, including 








294 


3488 


Chapter 90, 


electronically stored 












§§1831- 


information, if “reasonable 












1839 


measures” have been taken to 














keep it secret. Also contains 
the National Information 














Infrastructure Protection Act 














of 1996, amending 18 U.S.C. 
§1030 (see the Counterfeit 
Access Device and Computer 
Fraud and Abuse Act of 1984, 
p. 32), broadening prohibited 
activities relating to 
unauthorized access to 














computers. 




10/30/1998 


Identity Theft and 


P.L. 


1 12 


18 U.S.C. 


Made identity theft a federal 


R40599 




Assumption 


1 OS- 


Stat. 


§1028 


crime, provides penalties, and 






Deterrence Act of 


318 


3007 




directed the FTC to record 






1998 (p. 41) 








and refer complaints. 




10/5/1999 


National Defense 


P.L. 


113 


10 U.S.C. 


Established the Defense 






Authorization Act 


106- 


Stat. 


§2224 


Information Assurance 






for Fiscal Year 2000 


65 


512 




Program and required 
development of a testbed and 
coordination with other federal 














agencies. 




1 1 /1 2/1 999 


Gramm-Leach-Bliley 


P.L. 


1 13 


15 U.S.C. 


Requires financial institutions 


RL34I20 




Act of 1999 


106- 


Stat. 


Chapter 94, 


to protect the security and 


RS20I85 






102 


1338 


§§6801- 


confidentiality of customers’ 








(Title 




6827 


personal information; 








V) 






authorized regulations for that 
purpose. 
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CRS 


Year 


Popular Name 


Law 


Stat. 


u.s.c. 


Applicability and Notes 


Reports 


10/30/2000 


Floyd D. Spence 


P.L. 


1 14 


10 u.s.c. 


Established the DOD 






National Defense 


106- 


STAT. 


Chapter 


information assurance 






Authorization Act 


398 


1 654A- 


1 12, 


scholarship program; set 






for Fiscal Year 200 1 


(Titles 


233; 


§§2200- 


cybersecurity requirements for 








IX & 


1 654A- 


2200f 


federal systems superseded by 








X) 


266 




FISMA in 2002 




10/26/2001 


USA PATRIOT Act 


P.L. 


115 


see 18 


Authorized various law- 


R40980 




of 2001 


107- 


Stat. 


U.S.C. §1 


enforcement activities relating 








56 


272 


nt. and 

classification 

tables. 3 


to computer fraud and abuse. 




7/30/2002 


Sarbanes-Oxley Act 


P.L. 


116 


15 U.S.C. 


Requires annual reporting on 






of 2002 


107- 


Stat. 


§7262 


internal financial controls of 








204 


745 




covered firms to the Securities 














and Exchange Commission 
(SEC). Such controls typically 
include information security. 




1 1/25/2002 


Homeland Security 


P.L. 


1 16 


6 U.S.C. 


Created the Department of 






Act of 2002 (HSA) (p. 


107- 


Stat. 


§§121-1 95c, 


Homeland Security (DHS) and 






41) 


296 


2135 


441-444, 


gave it functions relating to the 








(Titles 




and 48 1 - 


protection of information 








II and 




486 


infrastructure, including 








III) 






providing state and local 
governments and private 
entities with threat and 
vulnerability information, crisis- 
management support, and 
technical assistance. 
Strengthened some criminal 
penalties relating to 
cybercrime. 




1 1/25/2002 


Federal Information 


P.L. 


116 


44 U.S.C. 


Created a cybersecurity 






Security Management 


107- 


Stat. 


Chapter 35, 


framework for federal 






Act of 2002 (FISMA) 


296 


2259 


Subchapters 


information systems, with an 






(p. 44) 


(Title 




II and III, 


emphasis on risk management, 








X) 


1 16 


40 U.S.C. 


and required implementation of 








P.L. 


Stat. 


1 1331, 


agency-wide information 








107- 


2946 


15 U.S.C. 


security programs. Gave 








347 




278g-3 & 4 


oversight responsibility to 








(Title 






OMB, revised the 








III) 






responsibilities of the Secretary 
of Commerce and NIST for 
information-system standards, 
and transferred responsibility 
for promulgation of those 
standards from the Secretary 
of Commerce to OMB. 




1 1/26/2002 


Terrorism Risk 


P.L. 


116 


15 U.S.C. 


Provides federal cost-sharing 






Insurance Act of 


107- 


Stat. 


§6701 nt. 


subsidies for insured losses 






2002 (p. 47) 


297 


2322 




resulting from acts of 
terrorism. 
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CRS 


Year 


Popular Name 


Law 


Stat. 


u.s.c. 


Applicability and Notes 


Reports 


1 1/27/2002 


Cyber Security 


P.L. 


116 


15 U.S.C. 


Requires the National Science 






Research and 


107- 


Stat. 


§§278g, h, 


Foundation (NSF) to award 






Development Act, 


305 


2367 


7401 et seq. 


grants for basic research and 






2002 (p. 47) 








education to enhance 














computer security. Required 
NIST to establish cybersecurity 
research programs. 




12/17/2002 


E-Government Act of 


P.L. 


116 


5 U.S.C. 


Serves as the primary legislative 






2002 (p. 48) 


107- 


Stat. 


Chapter 37, 


vehicle to guide federal IT 








347 


2899 


44 U.S.C. 


management and initiatives to 












§3501 nt„ 


make information and services 












Chapter 35, 


available online. Established the 












Subchapter 


Office of Electronic 












2, and 


Government within OMB, the 












Chapter 36 


Chief Information Officers 














(CIO) Council, and a 
government/private-sector 
personnel exchange program; 
includes FISMA; established and 
contains various other 
requirements for security and 
protection of confidential 
information. 




12/4/2003 


Fair and Accurate 


P.L. 


1 17 


See 1 5 


Required the FTC and other 


RS20I85 




Credit Transactions 


1 OS- 


Stat. 


U.S.C. 


agencies to develop guidelines 






Act of 2003 


159 


1952 


§1601 nt. 


for identity theft prevention 












for affected 


programs in financial 












provisions. 


institutions, including “red 
flags” indicating possible 
identity theft. 




12/16/2003 


Controlling the 


P.L. 


1 17 


15 U.S.C. 


Imposed regulations on the 






Assault of Non- 


1 OS- 


Stat. 


Chapter 


transmission of unsolicited 






Solicited 


187 


2699 


103, 


commercial email, including 






Pornography and 






§§7701- 


prohibitions against predatory 






Marketing (CAN- 






7713, 18 


and abusive email, and false or 






SPAM) Act of 2003 






U.S.C. 1037 


misleading transmission of 
information. 




7/15/2004 


Identity Theft Penalty 


P.L. 


1 18 


18 U.S.C. 


Established penalties for 


R40599 




Enhancement Act 


1 OS- 


Stat. 


§§1028, 


aggravated identity theft. 






2004 (p. 49) 


275 


831 


I028A 






12/17/2004 


Intelligence Reform 


P.L. 


1 18 


42 U.S. C. 


Created the position of 






and Terrorism 


1 OS- 


Stat. 


§2000ee, 50 


Director of National 






Prevention Act of 


458 


3638 


U.S.C. 


Intelligence (DNI). Established 






2004 (IRPTA) (p. SI) 






§403-1 et 


mission responsibilities for 












seq., §403-3 


some entities in the 












et seq., 


intelligence, homeland security, 












§404o et. 


and national security 












seq. 


communities, and established a 
Privacy and Civil Liberties 
Board within the Executive 
Office of the President. 
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CRS 


Year 


Popular Name 


Law 


Stat. 


u.s.c. 


Applicability and Notes 


Reports 


8/8/2005 


Energy Policy Act of 


P.L. 


1 19 


16 U.S.C. 


Requires FERC to certify an 


R4I886 




2005 (EPACT) 


109- 


Stat. 


824o 


Electric Reliability Organization 








58 


594 




(ERO) to establish and enforce 
reliability standards for bulk 
electric-power system facilities. 




10/4/2006 


Department of 


P.L. 


120 


6 U.S.C. 


§550 required the Secretary of 






Homeland Security 


109- 


Stat. 


§121 nt. 


Homeland Security to issue 






Appropriations Act, 


295 


1355 




regulations (6 C.F.R. Part 27) 






2007 








establishing risk-based 
performance standards for 
security of chemical facilities; 
regulations include 
cybersecurity standards 
requirement (6 C.F.R. 
§27.230(a)(8)). 




8/5/2007 


Protect America 


P.L. 


121 


50 U.S.C. 


Provided authority for the 






Act of 2007 


1 IQ- 


Stat. 


§1801 nt. 


Attorney General and the DNI 








55 


552 




to gather foreign intelligence 
information on persons 
believed to be overseas. 

The act expired in 2008. 




12/19/2007 


Energy 


P.L. 


121 


42 U.S.C. 


Gave NIST primary 


R4I886 




Independence and 


1 10- 


Stat. 


§§17381- 


responsibility for developing 






Security Act of 2007 


140 


1492 


17385 


interoperability standards for 






(EISA) 








the electric-power “smart 
grid.” 




7/10/2008 


Foreign Intelligence 


P.L. 


122 


See 50 


Added additional procedures 


98-326 




Surveillance Act of 


1 IQ- 


Stat. 


U.S.C. 


to FISA (see p. 55) for 






1978 [FISA] 


261 


2436 


§1801 nt. 


acquisition of communications 






Amendments Act of 






for affected 


of persons outside the United 






2008 






provisions. 


States. 




9/26/2008 


Identity Theft 


P.L. 


122 


18 U.S.C. 


Authorized restitution to 


R40599 




Enforcement and 


1 10- 


Stat. 


§1030 


identity theft victims and 


97-1025 




Restitution Act of 


326 


356 




modified some of the activities 






2008 








and penalties covered by 18 
U.S.C. 1030. 




2/17/2009 


Health Information 


P.L. 


123 


42 U.S.C. 


Expanded privacy and security 


R40546 




Technology for 


1 1 1-5 


Stat. 


§17901 et 


requirements for protected 






Economic and 


(Title 


226 


seq. 


health information by 






Clinical Health Act 


XIII of 






broadening HIPAA breach 








Div. 






disclosure notification and 








A and 






privacy requirements to 








Title 






include business associates of 








IV of 






covered entities. 








Div. 











B) 



Source: Various sources (see text), including National Research Council, Toward a Safer and More Secure 
Cyberspace (Washington, DC: National Academy Press, 2007); The White House, Cyberspace Policy Review, May 
29, 2009, http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf; and CRS. 

Note: Prepared by Rita Tehan, Information Research Specialist (rtehan@crs.loc.gov, 7-6739) and Eric A. Fischer. 
Laws in italics are discussed in the text. 
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a. Office of the Law Revision Counsel, “United States Code Table of Classifications for Public Laws, 107 th 

Congress, I st Session (Covering Public Laws 107-1 through 107-136),” http://uscode.house.gov/classification/ 
tbl 1 07pl I st.htm. 
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